TabaPay
Developers
APIReferenceSamplesFAQLogin
API
Notices and Versions
Overview
Resources
Client
● Retrieve
Key
● Create
● Retrieve
● Delete
Card
● Query
Account
● Create
● Retrieve
● Update
● Delete
Transaction
● Create
● Retrieve
● Delete
Reference
Networks
Network Response Codes
AVS Response Codes
Internal Error Codes
Status Codes
Currency Numbers
Country Codes
State Codes
Resource Statuses
Samples
Test Cards
Sample Flows
Code Samples
● curl
● wget
● openssl s_client
● Java
● JavaScript
● Go
● Python
● Ruby
PCI Helpers
● PCI Helper - SSO
● PCI Helper - RSA
FAQ
General
Data
Errors
Sandbox Environment
Production Environment
PCI / SOC2
Coding
PCI Helper - SSO
PCI Helper - RSA
Clients WebSite
Future

Notices and Versions

Come here often and look for important information, including information about current and future releases...

Notices


Important Notice regarding Sandbox Environment

Network Connectivity to the Sandbox Environment should be restored as of 12/07/2018. In the future, inactive IP Addresses will be disabled in the Sandbox Environment. Contact TabaPay Support if you need to reenable a disabled IP Address. If you need more IP Addresses whitelisted, consider using a Proxy (or our Proxy).


4th Quarter is always time for our many Annual (and Quarterly) PCI Tasks. So we will be busy working on our many PCI Tasks. Also, every Quarter as part of our PCI Tasks, we will be trimming the Sandbox Database. We have noticed that some are creating:

We are also monitoring Production and some have already been informed about having:If you don't clean up we will have to. Rememeber, inactive accounts will incur an extra charge and might be deleted. So it is better for you to delete them rather than for us to delete them.

We are trying to have a code freeze (blackout) period between 12/10/2018-01/02/2019 for the holidays.

Release v0.16.20181205 was deployed on 12/05/2018 in the Sandbox Environment and (planned) on 12/09/2018 in the Production Environment.

There should be no expectations on the Sandbox Environment, see the FAQ for the Sandbox Environment. The Sandbox Environment uses Simulators, so the accuracy of these Simulators may not be exactly the same as you will see in Production. For example, AVS calls will most likely always return a Network Response Code of 85, we will change the Simulator in the near future to reflect this.

Ready for Production? Please read the Production FAQ.

We have multiple Environments:

The last two Environments are for TabaPay Internal Use Only.

We will try not to update this WebSite before the corresponding Code Release to the Sandbox Environment. However, this WebSite might be slightly ahead of the Code Release to the Sandbox and Production Environments. So some things that are described on this WebSite may not yet be available and working in the Environment you are using.


Operations Notes

On Sandbox Environment, your Client will now be limited to the IPs Whitelisted for that Client. If you have more than one Client, you will need to specify the IPs to be Whitelisted for each Client separately. This will also be implemented on the Production Environment soon...


Questions of the Month (or Answers of the Month):
Creating unused and/or inactive Accounts will result in:


The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.


If you need help, please contact support@TabaPay.com with the following:

In order to help us help you, please be as accurate as possible. Also, see the Coding FAQ.


WebSite Updates

This WebSite was last updated on 12/05/2018 at 17:35 PST.

Versions

View details of the major changes for all Versions.
VersionEnvironment
Dev / QASandboxProduction
0.17v0.17.2018XXXX
0.16v0.16.20181205
0.15v0.15.20180920
0.14v0.14.20180628
0.13
0.09
v0.13.20180416
v0.09.20180416
0.12
0.08
v0.12.20180212
v0.08.20180212
0.11
0.07
v0.11.20180125
v0.07.20180125
0.10
0.06
v0.10.20171215
v0.06.20171215
0.05v0.05.20171015
0.04v0.04.20170920
0.03v0.03.20170823
0.02v0.02.20170805
0.01v0.01.20170711

Developers WebSite

This WebSite is a SPA (Single Page Application), which means:If you use this WebSite offline, please be sure to check for any updates, WebSite Updates, above...

Terms and Conditions

By using this WebSite and/or using the software (API), you agree that neither this WebSite nor the information disclosed therein nor the software nor any part thereof shall be reproduced or transferred to other WebSites or documents nor used or disclosed for any purpose except as specifically authorized in writing by TabaPay.

This WebSite is preliminary and is subject to change.

TabaPay makes no representation or warranties, expressed or implied, as to the truth or accuracy of any information contain herein. This WebSite may include typographical errors and technical inaccuracies. This WebSite is provided "as is" and all expressed or implied conditions, representations and warranties, including any implied warranty of merchantability, fitness for a particular purpose, or non-infringement, are disclaimed; except to the extent that such disclaimers are held to be legally invalid.

The URLs and ResourceIDs specified on this WebSite are only used for illustrative purposes (temporary place holders and/or samples) and does not reflect the actual URLs and ResourceIDs to be used (in Sandbox or Production). Please contact TabaPay Support for the actual URLs and ResourceIDs to be used for your situation.

Overview

The TabaPay Web Service (API) is just a simple RESTful Web Service that uses standard HTTPS to:where the Request Data and the Response Data are formatted using standard JSON.

HTTP Header

Authorization: Bearer <TokenValue>
Content-type: application/json

HTTP Cookies

No cookies are used.

IP Whitelisting

Only the IP Addresses that you specify to us will work. Our Firewalls will block all non-whitelisted IP Addresses.

You will need to reverify your IP Addresses every year, otherwise they will be removed.

Client Certificate

Possible future support, but from past experience, no one really wanted to use Client Certificates.

Resources

The TabaPay Web Service (API) consist of the following resources and operations (methods):Some characteristics of a Resource are:

Resource IDs

Some characteristics of a ResourceID are:

Client

This resource represents a Client.

The only operation available for this resource is:

●   Retrieve
Retrieves the attributes of a Client

Only TabaPay can:

●   Create
●   Update
including locking a Client
●   Delete
a Client. If you need to Update your Client Information, please contact TabaPay support.

Retrieve Client

Retrieves the attributes of a Client.
URL
https://<FQDN>/v1/clients/<ClientID>
HTTP Method
GET
Request
No Request Data
Response
Status Codes
Status CodeDescription
200OKThe Client's Attributes are returned.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
200Other
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
labelString
(no whitespaces)
Client Label
networksobjectList of Available Networks
pullarray
of Strings
For Pull Transactions
Array can be empty or is a List of Network Names
pusharray
of Strings
For Push Transactions
Array can be empty or is a List of Network Names
limitsobject
currencyString
3-digits
ISO 4217 Currency Number
pullobject
transactionString
Amount
Pull Transaction Limit
dailyString
Amount
Approximate Pull Daily Limit
networksarray
of objects
List of Network Limits
Network is listed only if different from above Pull Limits
O
networkStringNetwork Name
transactionString
Amount
Network Pull Transaction Limit
dailyString
Amount
Approximate Network Pull Daily Limit
pushobject
transactionString
Amount
Push Transaction Limit
dailyString
Amount
Approximate Push Daily Limit
networksarray
of objects
List of Network Limits
Network is listed only if different from above Push Limits
O
networkStringNetwork Name
transactionString
Amount
Network Push Transaction Limit
dailyString
Amount
Approximate Network Push Daily Limit
View
Hide
  Samples
Client's Attributes returned:
{
  "SC": 200,
  "EC": "0",
  "label": "ClientLabel",
  "networks":
  {
    "pull":
    [
      "STAR",
      "Visa"
    ],
    "push":
    [
      "STAR",
      "CU24",
      "Visa"
    ]
  },
  "limits":
  {
    "currency": "840",
    "pull":
    {
      "transaction": "0.25",
      "daily": "1.00"
    },
    "push":
    {
      "transaction": "0.25",
      "daily": "1.00",
      "networks":
      [
        {
          "network": "CU24",
          "transaction": "0.20",
          "daily": "1.00"
        }
      ]
    }
  }
}

Client not found:
{
  "SC": 404,
  "EC": "3A100000",
  "EM": "Not Found"
}

Client locked:
{
  "SC": 423,
  "EC": "3A100000",
  "EM": "Locked"
}
Notes
The Client Label is the human readable identifier used to identify you versus using your ClientID. It may be used:
  • in part of the file name for various Reports we generate for you, and
  • in part of the URL for access to the Client WebSite.

Key

This resource represents a RSA Encryption Key.

The operations that are available for this resource are:

●   Create
Creates a Key
●   Retrieve
Retrieves a Key
●   Delete
Deletes a Key

Create Key

Creates a Key.
URL
https://<FQDN>/v1/clients/<ClientID>/keys
HTTP Method
POST
Request
Request Data
JSON NameValueRequiredDefaultDescription
formatStringRPublic Key Response Format, either:
  • ASN.1
  • Raw (Modulus and Public Exponent)
expirationInteger
Between 1 and 365
RKey Expiration Time:
  • Minimum of 1 day
  • Maximum of 365 days
View
Hide
  Samples
ASN.1
{
  "format": "ASN.1",
  "expiration": 365
}
Raw (Modulus and Public Exponent)
{
  "format": "Raw",
  "expiration": 365
}
Response
Status Codes
Status CodeDescription
200OKA Key is created.
429Too Many RequestsCreated too many Keys
See Notes Below...

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
ASN.1RawOther
200200
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
keyIDString
22-characters
KeyID
keyStringASN.1
encoded in Base64 URL-Safe Character Set
keyModulusStringModulus
encoded in Base64 URL-Safe Character Set
keyExponentStringPublic Exponent
encoded in Base64 URL-Safe Character Set
expirationStringKey Expiration in yyyy-MM-ddTHH:mm:ssZ Format.
View
Hide
  Samples
Key created returned in ASN.1 format:
{
  "SC": 200,
  "EC": "0",
  "keyID": "TabaPay_KeyID_22-chars",
  "key": "Base64_Encoded_Key",
  "expiration": "2017-04-03T00:00:00Z"
}
Key created returned in Raw format:
{
  "SC": 200,
  "EC": "0",
  "keyID": "TabaPay_KeyID_22-chars",
  "keyModulus": "Base64_Encoded_Modulus",
  "keyExponent": "Base64_Encoded_Exponent",
  "expiration": "2017-04-03T00:00:00Z"
}
Notes
You should have at most 2 keys active at any one time. If you create more than 2 keys that are currently active (expiration date), you might get a return of SC=429, Too Many Requests. However, if the system detects that there are more than 2 keys that are currently active (expiration date), the system may automatically delete the older keys until there are at most 2 keys that are currently active.

Retrieve Key

Retrieves the Key.
URL
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>?Format=ASN.1
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>?Format=Raw
HTTP Method
GET
Request
No Request Data
Response
Status Codes
Status CodeDescription
200OKThe Key is returned.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
ASN.1RawOther
200200
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
keyStringASN.1
encoded in Base64 URL-Safe Character Set
keyModulusStringModulus
encoded in Base64 URL-Safe Character Set
keyExponentStringPublic Exponent
encoded in Base64 URL-Safe Character Set
expirationStringKey Expiration in yyyy-MM-ddTHH:mm:ssZ Format.
View
Hide
  Samples
Key returned in ASN.1 format:
{
  "SC": 200,
  "EC": "0",
  "keyID": "TabaPay_KeyID_22-chars",
  "key": "Base64_Encoded_Key",
  "expiration": "2017-04-03T00:00:00Z"
}
Key returned in Raw format:
{
  "SC": 200,
  "EC": "0",
  "keyID": "TabaPay_KeyID_22-chars",
  "keyModulus": "Base64_Encoded_Modulus",
  "keyExponent": "Base64_Encoded_Exponent",
  "expiration": "2017-04-03T00:00:00Z"
}
Notes
The default Format is Raw.

Delete Key

Deletes a Key.
URL
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>
HTTP Method
DELETE
Request
No Request Data
Response
Status Codes
Status CodeDescription
200OKThe Key is marked for deletion.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
200Other
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
View
Hide
  Samples
Key deleted:
{
  "SC": 200,
  "EC": "0"
}

Key not found:
{
  "SC": 404,
  "EC": "10000000"
}

Key already marked for deletion:
{
  "SC": 410,
  "EC": "50000000"
}
Notes
Keys are automatically deleted after their expiration.

Card

This resource represents a Payment Card (Debit Card, PrePaid Card, or Credit Card).

The only operation available for this resource is:

●   Query
Returns the attributes for the requested Payment Card

Query Card

Returns the attributes for the requested Payment Card. Optionally:

If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.

URL
https://<FQDN>/v1/clients/<ClientIDISO>/cards
https://<FQDN>/v1/clients/<ClientIDISO>/cards?AVS

https://<FQDN>/v1/clients/<ClientIDISO>/cards?Verify

https://<FQDN>/v1/clients/<ClientIDISO>/cards?Fees

https://<FQDN>/v1/clients/<ClientIDISO>/cards?AVS+Verify

https://<FQDN>/v1/clients/<ClientIDISO>/cards?AVS+Fees

https://<FQDN>/v1/clients/<ClientIDISO>/cards?Verify+Fees
https://<FQDN>/v1/clients/<ClientIDISO>/cards?AVS+Verify+Fees
HTTP Method
POST
Request
Request Data
JSON NameValueRequiredDefaultDescriptionConditional
networksStringOList of Network Codes
For ISOs, please contact TabaPay Support for details on when and how to use.
cardTypesPullStringOList of Card Type Codes
For ISOs, please contact TabaPay Support for details on when and how to use.
cardTypesPushStringO
accountobjectCREither Account or CardAccount
accountIDString
22 characters
RAccountIDAccount
securityCodeString
3-4 digits
OCVV2Account
AVS
cardobjectCREither Account or Card
Either Payment Card Not Encrypted:
  • accountNumber
  • expirationDate
  • securityCode
or Payment Card Encrypted:
  • keyID
  • mode
  • data
or Card Token (Restricted Usage):
  • token
or Device (Restricted Usage):
  • id
  • blob
Card
Data Encrypted?
accountNumberString
13-19 digits
R nPayment Card Account NumberCard
Not Encrypted
expirationDateString
YYYYMM Format
O n
RAVS
Expiration DateCard
Not Encrypted
AVS
securityCodeString
3-4 digits
O nCVV2Card
Not Encrypted
AVS
keyIDString
22 characters
R eKeyIDCard
Encrypted
modeInteger
0, 1, or 2
D e2Encryption Mode (Transformation)
0 = PKCS#1 v1.5
1 = Java OAEP
2 = OAEP SHA-256
Card
Encrypted
dataStringR eEncrypted Card Data, see below
encoded in Base64 URL-Safe Character Set
Card
Encrypted
tokenString® tCard Token (from SSO)
Restricted Usage
Card
Token
deviceobject® dCard Data from P2PE Device
Restricted Usage
Device
idString® dDevice IdentifierDevice
blobHex String® dBlob in HexDevice
ownerobjectCCard HolderAVS / Verify
nameobjectCName on CardVerify
firstStringRFirst NameVerify
middleStringOMiddle Name or InitialVerify
lastStringRLast NameVerify
suffixStringOSuffixVerify
addressobjectCBilling AddressAVS
line1StringOAddress Line 1, for AVS, see notes belowAVS
line2StringOAddress Line 2AVS
cityStringOCityAVS
stateString
2-character code
OState CodeAVS
zipcodeStringRZip CodeAVS
countryString
3-digit code
O840ISO 3166-1 Country CodeAVS
phoneobjectCPhone Number (E.164 Numbering)Verify
countryCodeString
1-3 digits
O1Country Calling CodeVerify
numberString
Min: 4 digits
Max: 12-14 digits
RPhone NumberVerify
currencyString
3-digits
O840ISO 4217 Currency NumberFees Check
amountString
Amount
CAmount of TransactionFees Check
timeoutNumber
Between 15 and 50
O39Maximum time to wait for AVS and/or Verify ResponseAVS / Verify
(Encrypted) Card Data
FieldRequiredDescriptionUnEncrypted Card Data Format
Card NumberR13-19 digit Card NumberCardNumber | Expiration Date | Security Code

(no spaces, pipe symbol separated)
see samples
Expiration DateO
RAVS
Expiration date in YYYYMM Format
Security CodeO3 or 4 digit CVV2
View
Hide
  Samples
Query Card:
{
  "card":
  {
    "accountNumber": "9999999999999999"
  }
}
Query Card using Encrypted Data:
{
  "card":
  {
    "keyID": "TabaPay_KeyID_22-chars",
    "data": "Base64_Encoded_Encrypted_Data"
  }
}
Query Card using AccountID:
{
  "account":
  {
    "accountID": "TabaPay_AccountID_22ch"
  }
}

Query Card and Fees Check:
{
  "card":
  {
    "accountNumber": "9999999999999999"
  },
  "amount": "0.50"
}

Unencrypted Card Data:
1111111111111111||

where

Card Number:     1111111111111111
Expiration Date: None
Security Code:   None

1111111111111111|203001|

where

Card Number:     1111111111111111
Expiration Date: January 2030
Security Code:   None

1111111111111111|203001|333

where

Card Number:     1111111111111111
Expiration Date: January 2030
Security Code:   333

1111111111111111||333

where

Card Number:     1111111111111111
Expiration Date: None
Security Code:   333
Response
Status Codes
Status CodeDescription
200OKThe Payment Card's Attributes are returned.
207Multi-StatusOne or more Failures occurred while processing the Request.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus CodeConditional
200207Other
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
cardobjectCard Attributes
pullobjectDebit Transaction
enabledBoolean
networkStringOO
typeStringCredit, Debit, PrepaidOO
regulatedBooleanOO
currencyString
3-digits
ISO 4217 Currency NumberOO
countryString
3-digit code
ISO 3166-1 Country CodeOO
pushobjectCredit Transaction
enabledBoolean
networkStringOO
typeStringCredit, Debit, PrepaidOO
availabilityStringEstimated Funds AvailabilityOO
regulatedBooleanOO
currencyString
3-digits
ISO 4217 Currency NumberOO
countryString
3-digit code
ISO 3166-1 Country CodeOO
AVSobjectAVS ResultsCCAVS
networkRCString
2 or 3-character code
Network Response CodeOAVS
authorizeIDStringIDOAVS
resultTextStringAVS Result TextOAVS
codeAVSStringAVS Response CodeOAVS
codeSecurityCodeStringSecurity Code Response CodeOAVS
ECString
1 or 8-characters
Internal Error CodeOAVS
feesobjectFees CheckCCFees Check
pullobjectDebit TransactionOOFees Check
interchangeString
Amount
Interchange FeesFees Check
networkString
Amount
Network FeesFees Check
tabapayString
Amount
TabaPay FeesFees Check
pushobjectCredit TransactionOOFees Check
interchangeString
Amount
Interchange FeesFees Check
networkString
Amount
Network FeesFees Check
tabapayString
Amount
TabaPay FeesFees Check
View
Hide
  Samples
Query Card:
{
  "SC": 200,
  "EC": "0",
  "card":
  {
    "pull":
    {
      "enabled": true,
      "network": "Visa",
      "type": "Debit",
      "regulated": true,
      "currency": "840",
      "country": "840"
    },
    "push":
    {
      "enabled": true,
      "network": "Visa",
      "type": "Debit",
      "regulated": true,
      "currency": "840",
      "country": "840",
      "availability": "Immediate"
    }
  }
}

Query Card (pull disabled):
{
  "SC": 200,
  "EC": "0",
  "card":
  {
    "pull":
    {
      "enabled": false
    },
    "push":
    {
      "enabled": true,
      "network": "Visa",
      "type": "Debit",
      "regulated": true,
      "currency": "840",
      "country": "840",
      "availability": "Immediate"
    }
  }
}

Query Card (push disabled):
{
  "SC": 200,
  "EC": "0",
  "card":
  {
    "pull":
    {
      "enabled": true,
      "network": "Visa",
      "type": "Debit",
      "regulated": true,
      "currency": "840",
      "country": "840"
    },
    "push":
    {
      "enabled": false
    }
  }
}

Query Card (disabled/unsupported):
{
  "SC": 200,
  "EC": "0",
  "card":
  {
    "pull":
    {
      "enabled": false
    },
    "push":
    {
      "enabled": false
    }
  }
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values:   <ClientID>_<SubClientID>   where:
  • ClientID is your unique 22-character string and
  • SubClientID is an assigned 4 or 6-digit value.


There is an extra charge (fee) for using Query Card and there is also an additional charge (fee) for using AVS.


Creating an Account just to do a Query Card is not the valid way to use our API (it is an Anti-Pattern). As we try to show in the Sample Flows: Query Card should be done first before Creating an Account, this is the correct Pattern (or use of our API).

Creating unused and/or inactive Accounts will result in:

  • These Accounts incurring an extra charge (fee)
  • These Accounts being automatically deleted
Excessive Anti-Pattern behavior will result in:
  • Your Requests failing
  • Your Client being locked


If using Account, only:
  • Card Account Number
  • Expiration Date (for AVS)
are obtained from the Account for use.

For AVS:

  • Security Code
  • Owner Address
are obtained from the request.

For Verify:

  • Owner Name
  • Owner Phone
are obtained from the request.


For AVS, Address Line 1 is optional, but you will get an AVS Code that says only Zip Code was matched (or not) and Address was not matched.


The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.


card.modeDescription
0RSA with PKCS#1 v1.5 Padding, however this is considered to be insecure
1Java RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding
2(non-Java) RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding

Unfortunately, for RSA/ECB/OAEPWithSHA-256AndMGF1Padding, Java's implementation (as of Java 1.8) is currently incompatible with other implementations.

Account

This resource represents a Client's Account.

The operations that are available for this resource are:

●   Create
Creates an Account containing a Payment Card Account Number
●   Retrieve
Retrieves an Account, but the full Payment Card Account Number is never returned
●   Update
Updates an Account
●   Delete
Deletes an Account

Create Account

Creates an Account.

If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.

URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts
HTTP Method
POST
Request
Request Data
JSON NameValueRequiredDefaultDescriptionConditional
referenceIDString
1-15 characters
RYour unique Reference ID
cardobjectREither Payment Card Not Encrypted:
  • accountNumber
  • expirationDate
or Payment Card Encrypted:
  • keyID
  • mode
  • data
or Card Token (Restricted Usage):
  • token
or Device (Restricted Usage):
  • id
  • blob
Payment Card
accountNumberString
13-19 digits
R nPayment Card Account NumberPayment Card
Not Encrypted
expirationDateString
YYYYMM Format
R nExpiration DatePayment Card
Not Encrypted
keyIDString
22 characters
R eKeyIDPayment Card
Encrypted
modeInteger
0, 1, or 2
D e2Encryption Mode (Transformation)
0 = PKCS#1 v1.5
1 = Java OAEP
2 = OAEP SHA-256
Payment Card
Encrypted
dataStringR eEncrypted Card Data, see below
encoded in Base64 URL-Safe Character Set
Payment Card
Encrypted
tokenString® tCard Token (from SSO)
Restricted Usage
Card
Token
deviceobject® dCard Data from P2PE Device
Restricted Usage
Device
idString® dDevice IdentifierDevice
blobHex String® dBlob in HexDevice
ownerobjectRAccount Owner
nameobjectRName
firstStringRFirst Name
middleStringOMiddle Name or Initial
lastStringRLast Name
suffixStringOSuffix
addressobjectOAddress
line1StringRAddress Line 1
line2StringOAddress Line 2
cityStringRCity
stateString
2-character code
RState Code840
zipcodeStringRZip Code840
countryString
3-digit code
O840ISO 3166-1 Country Code840
phoneobjectOPhone Number (E.164 Numbering)840
countryCodeString
1-3 digits
O1Country Calling Code840
numberString
Min: 4 digits
Max: 12-14 digits
RPhone Number840
(Encrypted) Card Data
FieldRequiredDescriptionUnEncrypted Card Data Format
Card NumberR13-19 digit Card NumberCardNumber | Expiration Date |

(no spaces, pipe symbol separated)
see samples
Expiration DateRExpiration date in YYYYMM Format
View
Hide
  Samples
Create Payment Card Account:
{
  "referenceID": "1",
  "card":
  {
    "accountNumber": "9999999999999999",
    "expirationDate": "202012"
  },
  "owner":
  {
    "name":
    {
      "first": "John",
      "last": "Customer"
    },
    "address":
    {
      "line1": "465 Fairchild Drive",
      "line2": "Suite #222",
      "city": "Mountain View",
      "state": "CA",
      "zipcode": "94043"
    },
    "phone":
    {
      "number": "4159808222"
    }
  }
}

Unencrypted Card Data:
1111111111111111|203001|

where

Card Number:     1111111111111111
Expiration Date: January 2030
Response
Status Codes
Status CodeDescription
200OKAn Account is Created.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
200Other
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
accountIDString
22-characters
AccountID
View
Hide
  Samples
Account created:
{
  "SC": 200,
  "EC": "0",
  "accountID": "TabaPay_AccountID_22ch"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values:   <ClientID>_<SubClientID>   where:
  • ClientID is your unique 22-character string and
  • SubClientID is an assigned 4 or 6-digit value.


Creating an Account just to do a Query Card is not the valid way to use our API (it is an Anti-Pattern). As we try to show in the Sample Flows: Query Card should be done first before Creating an Account, this is the correct Pattern (or use of our API).

Creating unused and/or inactive Accounts will result in:

  • These Account incurring an extra charge (fee)
  • These Account being automatically deleted
Excessive Anti-Pattern behavior will result in:
  • Your Requests failing
  • Your Client being locked


card.modeDescription
0RSA with PKCS#1 v1.5 Padding, however this is considered to be insecure
1Java RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding
2(non-Java) RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding

Unfortunately, for RSA/ECB/OAEPWithSHA-256AndMGF1Padding, Java's implementation (as of Java 1.8) is currently incompatible with other implementations.

Retrieve Account

Retrieves the Account.

If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.

URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>
https://<FQDN>/v1/clients/<ClientIDISO>/accounts?referenceID=<ReferenceID>
HTTP Method
GET
Request
No Request Data
Response
Status Codes
Status CodeDescription
200OKThe Account is retrieved.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
AIDRIDOther
200200
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
referenceIDStringReferenceID
accountIDString
22-characters
AccountID
cardobjectCardOO
last4String
4-digits
Last 4 of Card NumberOO
expirationDateString
6-digits
Expiration DateOO
ownerobjectAccount Owner
nameobjectName
firstStringFirst Name
middleStringMiddle Name or InitialOO
lastStringLast Name
suffixStringSuffixOO
addressobjectAddressOO
line1StringAddress Line 1
line2StringAddress Line 2OO
cityStringCity
stateString
2-character code
State Code
zipcodeStringZip Code
countryString
3-digit code
ISO 3166-1 Country CodeOO
phoneobjectPhone Number (E.164 Numbering)OO
countryCodeString
1-3 digits
Country Calling CodeOO
numberString
Min: 4 digits
Max: 12-14 digits
Phone Number
View
Hide
  Samples
Account retrieved using AccountID:
{
  "SC": 200,
  "EC": "0",
  "referenceID": "1",
  "card":
  {
    "last4": "9990",
    "expirationDate": "202012"
  },
  "owner":
  {
    "name":
    {
      "first": "John",
      "last": "Customer"
    },
    "address":
    {
      "line1": "465 Fairchild Drive",
      "line2": "Suite #222",
      "city": "Mountain View",
      "state": "CA",
      "zipcode": "94043"
    },
    "phone":
    {
      "number": "4159808222"
    }
  }
}

Account retrieved using ReferenceID:
{
  "SC": 200,
  "EC": "0",
  "accountID": "TabaPay_AccountID_22ch",
  "owner":
  {
    "name":
    {
      "first": "John",
      "last": "Customer"
    },
    "address":
    {
      "line1": "465 Fairchild Drive",
      "line2": "Suite #222",
      "city": "Mountain View",
      "state": "CA",
      "zipcode": "94043"
    },
    "phone":
    {
      "number": "4159808222"
    }
  }
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values:   <ClientID>_<SubClientID>   where:
  • ClientID is your unique 22-character string and
  • SubClientID is an assigned 4 or 6-digit value.

Update Account

Updates the Account.

If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.

URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>
HTTP Method
PUT
Request
Request Data
JSON NameValueRequiredDefaultDescriptionConditional
cardobjectREither Payment Card Not Encrypted:
  • accountNumber
  • expirationDate
or Payment Card Encrypted:
  • keyID
  • mode
  • data
or Card Token (Restricted Usage):
  • token
or Device (Restricted Usage):
  • id
  • blob
Payment Card
accountNumberString
13-19 digits
R nPayment Card Account NumberPayment Card
Not Encrypted
expirationDateString
YYYYMM Format
R nExpirationDatePayment Card
Not Encrypted
keyIDString
22 characters
R eKeyIDPayment Card
Encrypted
modeInteger
0, 1, or 2
D e2Encryption Mode (Transformation)
0 = PKCS#1 v1.5
1 = Java OAEP
2 = OAEP SHA-256
Payment Card
Encrypted
dataStringR eEncrypted Card Data, see below
encoded in Base64 URL-Safe Character Set
Payment Card
Encrypted
tokenString® tCard Token (from SSO)
Restricted Usage
Card
Token
deviceobject® dCard Data from P2PE Device
Restricted Usage
Device
idString® dDevice IdentifierDevice
blobHex String® dBlob in HexDevice
ownerobjectRAccount Owner
nameobjectRName
firstStringRFirst Name
middleStringOMiddle Name or Initial
lastStringRLast Name
suffixStringOSuffix
addressobjectOAddress
line1StringRAddress Line 1
line2StringOAddress Line 2
cityStringRCity
stateString
2-character code
RState Code840
zipcodeStringRZip Code840
countryString
3-digit code
O840ISO 3166-1 Country Code840
phoneobjectOPhone Number (E.164 Numbering)840
countryCodeString
1-3 digits
O1Country Calling Code840
numberString
Min: 4 digits
Max: 12-14 digits
RPhone Number840
(Encrypted) Card Data
FieldRequiredDescriptionUnEncrypted Card Data Format
Card NumberR13-19 digit Card NumberCardNumber | Expiration Date |

(no spaces, pipe symbol separated)
see samples
Expiration DateRExpiration date in YYYYMM Format
View
Hide
  Samples
Update Payment Card Account:
{
  "card":
  {
    "accountNumber": "9999999999999999",
    "expirationDate": "202012"
  },
  "owner":
  {
    "name":
    {
      "first": "John",
      "last": "Customer"
    },
    "address":
    {
      "line1": "465 Fairchild Drive",
      "line2": "Suite #222",
      "city": "Mountain View",
      "state": "CA",
      "zipcode": "94043"
    },
    "phone":
    {
      "number": "4159808222"
    }
  }
}

Unencrypted Card Data:
1111111111111111|203001|

where

Card Number:     1111111111111111
Expiration Date: January 2030
Response
Status Codes
Status CodeDescription
200OKThe Account is Updated.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
200Other
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
View
Hide
  Samples
Account updated:
{
  "SC": 200,
  "EC": "0"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values:   <ClientID>_<SubClientID>   where:
  • ClientID is your unique 22-character string and
  • SubClientID is an assigned 4 or 6-digit value.


Update will delete the previous Account Data and replace the Account Data with the new Data in the Request. An Update Account is basically a Create Account but reusing the AccountID and the ReferenceID. The previous Account Data is deleted and is no longer usable or recoverable.


card.modeDescription
0RSA with PKCS#1 v1.5 Padding, however this is considered to be insecure
1Java RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding
2(non-Java) RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding

Unfortunately, for RSA/ECB/OAEPWithSHA-256AndMGF1Padding, Java's implementation (as of Java 1.8) is currently incompatible with other implementations.

Delete Account

The Account is marked for Deletion.

If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.

URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>
HTTP Method
DELETE
Request
No Request Data
Response
Status Codes
Status CodeDescription
200OKThe Account is marked for deletion.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
200Other
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
View
Hide
  Samples
Account marked for deletion:
{
  "SC": 200,
  "EC": "0"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values:   <ClientID>_<SubClientID>   where:
  • ClientID is your unique 22-character string and
  • SubClientID is an assigned 4 or 6-digit value.

Transaction

This resource represents a Client's Transaction.

The operations that are available for this resource are:

●   Create
Creates a Transaction
●   Retrieve
Retrieves a Transaction
●   Delete
Deletes a Transaction

Create Transaction

Creates a Transaction.

If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.

URL
https://<FQDN>/v1/clients/<ClientIDISO>/transactions
HTTP Method
POST
Request
Request Data
JSON NameValueRequiredDefaultDescriptionChoice
referenceIDString
1-15 characters
RYour unique Reference ID
correspondingIDString
22 characters
OCorresponding TransactionID
(For a Pull Transaction, this would be the corresponding Push Transaction)
typeString
4 characters
Either push or pull
RTransaction Type
This is used to verify that your Source and Destination Accounts are valid.
networksStringOList of Network Codes
For ISOs, please contact TabaPay Support for details on when and how to use.
cardTypesStringOList of Card Type Codes
For ISOs, please contact TabaPay Support for details on when and how to use.
accountsobjectRAccounts
sourceAccountIDString
22 characters
CREither Source AccountID or Source AccountSAID
sourceAccountobjectCREither Source AccountID or Source AccountSA
cardobjectREither Payment Card Not Encrypted:
  • accountNumber
  • expirationDate
  • securityCode
or Payment Card Encrypted:
  • keyID
  • mode
  • data
or Card Token (Restricted Usage):
  • token
or Device (Restricted Usage):
  • id
  • blob
SA PC
accountNumberString
13-19 digits
R nPayment Card Account NumberSA PC
Not Encrypted
expirationDateString
YYYYMM Format
R nExpiration DateSA PC
Not Encrypted
securityCodeString
3-4 digits
O nSecurity CodeSA PC
Not Encrypted
keyIDString
22 characters
R eKeyIDSA PC
Encrypted
modeInteger
0, 1, or 2
D e2Encryption Mode (Transformation)
0 = PKCS#1 v1.5
1 = Java OAEP
2 = OAEP SHA-256
SA PC
Encrypted
dataStringR eEncrypted Card Data, see below
encoded in Base64 URL-Safe Character Set
SA PC
Encrypted
tokenString® tCard Token (from SSO)
Restricted Usage
Card
Token
deviceobject® dCard Data from P2PE Device
Restricted Usage
Device
idString® dDevice IdentifierDevice
blobHex String® dBlob in HexDevice
ownerobjectRAccount OwnerSA
nameobjectRNameSA
firstStringRFirst NameSA
middleStringOMiddle Name or InitialSA
lastStringRLast NameSA
suffixStringOSuffixSA
addressobjectOAddressSA
line1StringOAddress Line 1SA
line2StringOAddress Line 2SA
cityStringOCitySA
stateString
2-character code
OState CodeSA
zipcodeStringOZip CodeSA
countryString
3-digit code
O840ISO 3166-1 Country CodeSA
phoneobjectOPhone Number (E.164 Numbering)SA
countryCodeString
1-3 digits
O1Country Calling CodeSA
numberString
Min: 4 digits
Max: 12-14 digits
RPhone NumberSA
destinationAccountIDString
22 characters
CREither Destination AccountID or Destination AccountDAID
destinationAccountobjectCREither Destination AccountID or Destination AccountDA PC
cardobjectREither Payment Card Not Encrypted:
  • accountNumber
  • expirationDate
  • securityCode
or Payment Card Encrypted:
  • keyID
  • mode
  • data
or Card Token (Restricted Usage):
  • token
or Device (Restricted Usage):
  • id
  • blob
DA PC
accountNumberString
13-19 digits
R nPayment Card Account NumberDA PC
Not Encrypted
expirationDateString
YYYYMM Format
R nExpiration DateDA PC
Not Encrypted
securityCodeString
3-4 digits
O nCVV2DA PC
Not Encrypted
keyIDString
22 characters
R eKeyIDDA PC
Encrypted
modeInteger
0, 1, or 2
D e2Encryption Mode (Transformation)
0 = PKCS#1 v1.5
1 = Java OAEP
2 = OAEP SHA-256
DA PC
Encrypted
dataStringR eEncrypted Card Data, see below
encoded in Base64 URL-Safe Character Set
DA PC
Encrypted
tokenString® tCard Token (from SSO)
Restricted Usage
Card
Token
deviceobject® dCard Data from P2PE Device
Restricted Usage
Device
idString® dDevice IdentifierDevice
blobHex String® dBlob in HexDevice
ownerobjectRAccount OwnerDA
nameobjectRNameDA
firstStringRFirst NameDA
middleStringOMiddle Name or InitialDA
lastStringRLast NameDA
suffixStringOSuffixDA
addressobjectOAddressDA
line1StringOAddress Line 1DA
line2StringOAddress Line 2DA
cityStringOCityDA
stateString
2-character code
OState CodeDA
zipcodeStringOZip CodeDA
countryString
3-digit code
O840ISO 3166-1 Country CodeDA
phoneobjectOPhone Number (E.164 Numbering)DA
countryCodeString
1-3 digits
O1Country Calling CodeDA
numberString
Min: 4 digits
Max: 12-14 digits
RPhone NumberDA
currencyString
3-digits
O840ISO 4217 Currency Number
amountString
Amount
RTransaction Amount
memoString
Max of 32 characters
OMemo
regionalsStringORegionals Override
For ISOs, please contact TabaPay Support for details on when and how to use.
pullOptionsobjectOAdditional Pull Options
lenderBooleanOLender
quasiCashBooleanOQuasi-Cash
securityCodeString
3-4 digits
OCVV2
Valid only when using sourceAccountID (Pull)
recurringBooleanORecurring Pull Transaction
3dsECIStringO3d Secure ECI (Electronic Commerce Indicator)
3dsUCAFStringO3d Secure UCAF (Universal Cardholder Authentication Field)
  • Visa uses CAVV (Cardholder Authentication Verification Value)
  • MasterCard uses AAV (Accountholder Authentication Value)
3dsXIDStringO3d Secure XID (Transaction ID)
softDescriptorobject®Soft Descriptor
Restricted Usage
®
nameStringRName®
addressobjectRAddress®
line1StringRAddress Line 1®
line2StringOAddress Line 2®
cityStringRCity®
countyString
3-characters
RCounty®
stateString
2-character code
RState Code®
zipcodeStringRZip Code®
countryString
3-digit code
O840ISO 3166-1 Country Code®
phoneobjectOPhone Number (E.164 Numbering)®
countryCodeString
1-3 digits
O1Country Calling Code®
numberString
Min: 4 digits
Max: 12-14 digits
RPhone Number®
locationobjectOLocation of the Origination of Transaction
nameStringRLocation Name
addressobjectRLocation Address
line1StringRAddress Line 1
line2StringOAddress Line 2
cityStringRCity
stateString
2-character code
RState Code
zipcodeStringRZip Code
countryString
3-digit code
O840ISO 3166-1 Country Code
timeoutInteger
Between 15 and 39
O39Time to wait for a response
Default is 39 seconds
See Notes Below...
(Encrypted) Card Data
FieldRequiredDescriptionUnEncrypted Card Data Format
Card NumberR13-19 digit Card NumberCardNumber | Expiration Date | Security Code

(no spaces, pipe symbol separated)
see samples
Expiration DateRExpiration date in YYYYMM Format
Security CodeO3 or 4 digit CVV2
View
Hide
  Samples
Create Transaction:
{
  "referenceID": "1",
  "type": "push",
  "accounts":
  {
    "sourceAccountID": "TabaPay_AccountID_22-c",
    "destinationAccountID": "TabaPay_AccountID_22-c"
  },
  "amount": "1.00",
  "currency": "840"
}
Create Pull Transaction:
{
  "referenceID": "1",
  "type": "pull",
  "accounts":
  {
    "sourceAccount":
    {
      "card":
      {
        "accountNumber": "9999999999999999",
        "expirationDate": "202012"
      },
      "owner":
      {
        "name":
        {
          "first": "John",
          "last": "Benson"
        },
        "address":
        {
          "line1": "465 Fairchild Drive",
          "line2": "Suite #222",
          "city": "Mountain View",
          "state": "CA",
          "zipcode": "94043"
        },
        "phone":
        {
          "number": "4159808222"
        }
      }
    },
    "destinationAccountID": "TabaPay_AccountID_22-c"
  },
  "currency": "840",
  "amount": "0.10"
}
Create Push Transaction:
{
  "referenceID": "1",
  "type": "push",
  "accounts":
  {
    "sourceAccountID": "TabaPay_AccountID_22-c",
    "destinationAccount":
    {
      "card":
      {
        "accountNumber": "9999999999999999",
        "expirationDate": "202012"
      },
      "owner":
      {
        "name":
        {
          "first": "John",
          "last": "Benson"
        },
        "address":
        {
          "line1": "465 Fairchild Drive",
          "line2": "Suite #222",
          "city": "Mountain View",
          "state": "CA",
          "zipcode": "94043"
        },
        "phone":
        {
          "number": "4159808222"
        }
      }
    }
  },
  "currency": "840",
  "amount": "0.10"
}

Unencrypted Card Data:
1111111111111111|203001|

where

Card Number:     1111111111111111
Expiration Date: January 2030
Security Code:   None

1111111111111111|203001|333

where

Card Number:     1111111111111111
Expiration Date: January 2030
Security Code:   333

Response
Status Codes
Status CodeDescription
200OKA Transaction is created and processing is completed.
201CreatedA Transaction is created, but the transaction is waiting to be processed (batch).
207Multi-StatusOne or more Failures occurred while processing the Request.
429Too Many RequestsOver your Daily (24-hour rolling) Approximation Limit.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
200201207Other
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageOO
transactionIDString
22-characters
TransactionID
networkStringNetwork
networkRCString
2 or 3-character code
Network Response CodeO
statusStringStatus
approvalCodeString
6-characters
Approval CodeO
errorsArray of
8-characters
Strings
Array of Internal Error Codes
AVSobjectAVS ResultsC
codeAVSStringAVS Response CodeO
codeSecurityCodeStringSecurity Code Response CodeO
feesobjectEstimated FeesOO
interchangeString
Amount
Interchange Fees
networkString
Amount
Network Fees
tabapayString
Amount
TabaPay Fees
View
Hide
  Samples
Transaction created:
{
  "SC": 200,
  "EC": "0",
  "transactionID": "TabaPay_TransactionID_",
  "network": "Visa",
  "networkRC": "00",
  "status": "COMPLETED",
  "approvalCode": "000000"
}
Transaction created but waiting to be processing (batch):
{
  "SC": 201,
  "EC": "0",
  "transactionID": "TabaPay_TransactionID_",
  "network": "CreditCards",
  "status": "PENDING"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values:   <ClientID>_<SubClientID>   where:
  • ClientID is your unique 22-character string and
  • SubClientID is an assigned 4 or 6-digit value.


One of the accounts in the Request, Source Account or Destination Account, must be your Settlement Account. If disbursing funds (push) the Source Account should be your Settlement Account. If collecting funds (pull) the Destination Account should be your Settlement Account.

On a Pull Transaction, specifying at least the Owner Address Line 1 and/or Owner Zip Code will result in an automatic AVS check which may result in lower fees. However, a bad AVS will not stop the Transaction. You should have previously done a Query Card with AVS to check the Card.


A Timeout does not STOP the Transaction from continuing to be processed. It does mean that the Transaction Status will be temporarily in an UNKNOWN status. The SC (Status Code) in the Response will be 207.

Once the Transaction finished processing, the Actual Status of the Transaction will be reflected. You can do a Retrieve Transaction to check on the actual Transaction Status. However, do not poll, otherwise you will get SC=429.

After 90 seconds, the Transaction Status will NOT change. We have given up waiting for a response. Most likely, the Transaction Status will remain in an UNKNOWN status. Contact TabaPay Support if you need us to investigate what really happened with this Transaction.


The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.


card.modeDescription
0RSA with PKCS#1 v1.5 Padding, however this is considered to be insecure
1Java RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding
2(non-Java) RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding

Unfortunately, for RSA/ECB/OAEPWithSHA-256AndMGF1Padding, Java's implementation (as of Java 1.8) is currently incompatible with other implementations.

Retrieve Transaction

Retrieves the Transaction.

If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.

URL
https://<FQDN>/v1/clients/<ClientIDISO>/transactions/<TransactionID>
https://<FQDN>/v1/clients/<ClientIDISO>/transactions?referenceID=<ReferenceID>
HTTP Method
GET
Request
No Request Data
Response
Status Codes
Status CodeDescription
200OKThe Transaction is retrieved.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
TIDRIDOther
200200
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageO
transactionIDString
22-characters
TransactionID
referenceIDStringReferenceID
networkStringNetworkOO
networkRCString
2 or 3-character code
Network Response CodeOO
statusStringStatus
originallyStringOriginal StatusOO
approvalCodeString
6-characters
Approval CodeOO
errorsArray of
8-characters
Strings
Array of Internal Error CodesOO
amountStringAmount
currencyString
3-digits
ISO 4217 Currency NumberOO
last4StringLast 4 of Card Account Number (PAN)
memoStringMemoOO
feesobjectFeesOO
interchangeString
Amount
Interchange Fees
networkString
Amount
Network Fees
tabapayString
Amount
TabaPay Fees
reversalStatusStringReversal StatusOO
reversalobjectReversalOO
networkRCString
2 or 3-character code
Network Response CodeOO
networkRC2String
2 or 3-character code
Network Response CodeOO
errorString
1 or 8-characters
Internal Error CodeOO
View
Hide
  Samples
Transaction retrieved using TransactionID:
{
  "SC": 200,
  "EC": "0",
  "referenceID": "1",
  "network": "Visa",
  "networkRC": "00",
  "status": "COMPLETED",
  "approvalCode": "000000",
  "amount": "0.10",
  "fees":
  {
    "interchange": "0.50",
    "network": "0.50",
    "tabapay": "0.25"
  }
}

Transaction retrieved using ReferenceID:
{
  "SC": 200,
  "EC": "0",
  "transactionID": "TransactionID_22chars_",
  "network": "Visa",
  "networkRC": "00",
  "status": "COMPLETED",
  "approvalCode": "000000",
  "amount": "0.10",
  "fees":
  {
    "interchange": "0.50",
    "network": "0.50",
    "tabapay": "0.25"
  }
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values:   <ClientID>_<SubClientID>   where:
  • ClientID is your unique 22-character string and
  • SubClientID is an assigned 4 or 6-digit value.


The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.

Delete Transaction

Try to request a reverse of a previous Pull Transaction.

If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.

URL
https://<FQDN>/v1/clients/<ClientIDISO>/transactions/<TransactionID>?reversal
https://<FQDN>/v1/clients/<ClientIDISO>/transactions/<TransactionID>?void
HTTP Method
DELETE
Request
No Request Data
Response
Status Codes
Status CodeDescription
200OKA Request for a Reversal of the previous Transaction is successful.
207Multi-StatusOne or more Failures occurred while processing the Request.

See Status Codes for other possible Status Codes that might be returned.
Response Data
JSON NameValueDescriptionStatus Code
200207Other
SCInteger
3-digits
HTTP Status CodeO
ECString
1 or 8-characters
Internal Error CodeO
EMStringError MessageOO
statusStringStatus
reversalobjectReversalO
networkRCString
2 or 3-character code
Void
Network Response Code
O
networkRC2String
2 or 3-character code
Refund after failed Void
Network Response Code
O
View
Hide
  Samples
Transaction reversed:
{
  "SC": 200,
  "EC": "0",
  "status": "COMPLETED",
  "reversal":
  {
    "networkRC": "00"
  }
}
Dual Message Network:
  {
    "SC": 200,
    "EC": "0",
    "status": "COMPLETED",
    "reversal":
    {
      "networkRC": "21",
      "networkRC2": "00"
    }
  }
   
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values:   <ClientID>_<SubClientID>   where:
  • ClientID is your unique 22-character string and
  • SubClientID is an assigned 4 or 6-digit value.


You can only Delete (reverse) a Pull Transaction. A Delete is just only a request for a reversal. Dual Message Networks may cause a networkRC2 if the networkRC is either a Network Response Code of 21 or E9.

Networks

Network NameNetwork Code
STARS
PulseP
NYCEN
CU24C
AccelA
VisaV
MasterCardM
MoneySendY
DiscoverD

Card Types

Card TypeCard Type Code
DebitD
PrePaidP
CreditC

Network Response Codes


A Financial Institution may decide to return a Network Response Code that may not match the ISO Code meaning.

ISO CODEDescription
00Approved or completed successfully
01Refer to card issuer
02Refer to card issuers special conditions
03Invalid merchant
04Pick-up
05Do not honor
06Error
07Pick-up card, special conditions
08Honor with identification
09Request in progress
10Approved for partial amount
11Approved (VIP)
12Invalid transaction
13Invalid amount
14Invalid card number (no such number)
15No such issuer
16Approved, update track 3
17Customer cancellation, reversal (unsupported)
18Customer dispute, chargeback (future)
19Re-enter transaction
20Invalid response
21No action taken, reversal (unsupported)
22Suspected malfunction, reversal (unsupported)
23Unacceptable transaction fee
24File update not supported by receiver
25Unable to locate record on file
26Duplicate file update record, no action
27File update field edit error
28File update record locked out
29File update not successful, contact acquirer
30Format error (may also be a reversal)
31Bank not supported by switch
32Completed partially, reversal (unsupported)
33Expired card, pick-up
34Suspected fraud, pick-up
35Card acceptor contact acquirer, pick-up
36Restricted card, pick-up
37Card acceptor call acquirer security, pick-up
38Allowable PIN tries exceeded, pick-up
39No credit account
40Requested function not supported
41Lost card, pick-up
42No universal account
43Stolen card, pick-up
44No investment account
45Reserved for ISO use
46Reserved for ISO use
47Reserved for ISO use
48Reserved for ISO use
49Reserved for ISO use
50Reserved for ISO use
51Insufficient funds
52No checking account
53No savings account
54Expired card
55Incorrect PIN
56No card record
57Transaction not permitted to cardholder
58Transaction not permitted to terminal (may also be a chargeback)
59Suspected fraud
60Card acceptor contact acquirer
61Exceeds withdrawal amount limit
62Restricted card
63Security violation (may also be a chargeback)
64Original amount incorrect, reversal (unsupported)
65Exceeds withdrawal frequency limit
66Card acceptor call acquirer security
67Hard capture, pick-up
68Response received too late, reversal (unsupported)
69Reserved for ISO
70Reserved for ISO
71Reserved for ISO
72Reserved for ISO
73Reserved for ISO
74Reserved for ISO
75Allowable number of PIN tries exceeded
76Key synchronization error (FIS)
77Reserved for private use
78Customer not eligible for POS (Star SM )
79Invalid digital signature
80Stale dated transaction (Star SM )
81Issuer requested standin
82Count exceeds limit (VISANet)
83Reserved for private use
84Time limit for pre-authorization reached (VISANet)
85*Issuer has no reason to decline the transaction (Account Verification)
86Cannot verify PIN (VISANet)
87Check already posted
88Information not on file
89Card verification value (CVV) verification failed (no pickup)
90Cutoff is in progress
91Issuer or switch is inoperative
92Financial institution or intermediate network unknown for routing
93Transaction cannot be completed, violation of law
94Duplication transaction
95Reconcile error
96System malfunction
97Reserved for national use
98Reserved for national use
99*Card network fault error
0Z-9ZReserved for ISO use
C2-E0Reserved for national use (X9.2)
E1*Invalid or unsupported SEC
E2*AVS data required
E3*CVV2 data required
E4*Service not allowed. Transaction not permitted to cardholder.
E5*Service not allowed. Transaction not permitted to cardholder.
E6*Issuer country is blocked
E7*Incorrect MAC was sent
E8*Standard Entry Class requirements were not met
E9*System time out
EA*Account length error
EB*Check digit error
EC*CID format error
ED*Authorization is too old to capture
EE*Card product code is blocked Card product code is blocked
EF*Attempt to process a BRIC transaction on a prior PIN based transaction
EG*CyberSource Time Out Connection to CyberSource timed out
EH*CARD_ENT_METH supplied is not valid or required additional data not provided as defined
EI*CARD_ID is not valid
EJ*Required PIN block not present
EK*Bin is not valid for pinless routing
EL*Signature store did not complete
EM*Debit PIN transactions must be swiped
EN*DB proxy response was not processed within the time out period
EO*Transaction was declined by merchant due to mismatch of CVV2 data
EP*Transaction not allowed as per a validation rule
EQ*There were no available gateway nodes to route transaction
EZ-MZReserved for national use (X9.2)
N0Authorization life cycle unacceptable
N1Authorization life cycle expired
N2Non-receipt of requested item (future)
N3Non-receipt of requested item, illegible copy (future)
N4Transaction exceeds floor limit (future)
N5Declined authorization (future)
N6Non-matching account numbers (future)
N7 Error in addition (future)
N8Altered amount (future)
N9Incorrect account number (future)
P0Missing signature (future)
P1Slip without card imprint (future)
P2Imprinting of multiple slips (future)
P3Canceled pre-authorization transaction (future)
P4Delinquent settlement (future)
P5Currency conversion error (future)
P6Credit posted as a debit (sale) (future)
P7Claim or defense (future)
P8Non-receipt of goods (future)
P9Defective merchandise (future)
Q1*Card authentication failed
R0Fraudulent transaction prior to embossed valid date (future)
R1Credit not received (future)
R2Allowable PAN entries warning -- approved
R3Approved with overdraft protection
R4Bad CVV3
RR*Unknown Backend Processing Error
S0Check not acceptable for cash
S1Check not acceptable
S2Check deposit limit exceeded
S3Cash back limit exceeded
S4Check amount does not match courtesy amount
S5PIN not selected
S6PIN already selected
S7Unmatched voucher information
S8Allowable PAN entries exceeded -- denial
S9Expiration date mismatch
SAInactive card
SBExpiration date mismatch (card pickup)
SCItem suspected for stop pay
SDAccount closed
SEIneligible account
SFItem submitted more than two times
SGNo account on file - absolute
SHUnable to locate
SIGeneral denial
SJItem settled via ACH
SKCross-reference card not found
SLCategory limit exceeded
SMTransaction limit exceeded
SNDaily limit exceeded
SOMonthly limit exceeded
SPInvalid secret code
SQPIN key sync error
SRBad CVV2
SSStop payment order
STRevocation of authorization order
SVStop reoccurring payments
T3Lost card (no pickup)
T4Closed account
T5Dormant account
T6Special conditions (no pick-up)
T7Purchase only approval for purchase with cash back transaction.
T9Insufficient funds for fees
TAARQC validation failed for chip card
TBUnsafe PIN
U0-YZReserved for private use
ZD*MasterCard MoneySend Error due to Expiration Date
ZN*MasterCard MoneySend Decline due to Card was Declined
ZR*MasterCard MoneySend Decline due to Unsupported Card
ZU*MasterCard MoneySend Error due to an Unknown Reason
ZX*MasterCard MoneySend Decline due to an Unknown Reason
ZY*MasterCard MoneySend Request in Unknown Status
ZZ*Used by TabaPay for Testing

Notes:

*   Not all Networks may return this Network Response Code.


Accel Action CodeDescription
000Approved
001Approved with identification
002Approved for partial amount
003Approved (VIP)
100, 200Do not honor
101, 201Expired card
102, 202Suspected fraud
103, 203Card acceptor contact acquirer
104, 204Restricted card
105, 205Card acceptor call acquirer’s security department
106, 206Allowable PIN tries exceeded
107Refer to card issuer
108Refer to card issuer’s special condition
109Invalid merchant
110Invalid amount
111Invalid card number
112PIN data required
113Unacceptable fee
114, 214No account of type requested
115Requested function not supported (invalid transaction)
116, 216Insufficient funds
117, 217Incorrect PIN
118No card record
119Transaction not permitted to cardholder
120Transaction not permitted to terminal
121Exceeds withdrawal amount limit
122Security violation
123Exceeds withdrawal limit frequency
124Violation of law
126Invalid PIN block
127PIN length error
128PIN key synchronization error (sanity error)
129Suspected counterfeit card
130Transaction failed OFAC check
131Check not acceptable
180Limit exceeded due to cashback amount
181Enter lesser amount
182Institution not supported by switch
183Balances not available for inquiry
184Resubmission in violation of network rules
185Stop payment on check (shared branch only)
207Special conditions
208Lost card
209Stolen card
210Suspected counterfeit card
907Card issuer or switch inoperative
908Transaction destination cannot be found for routing
909System malfunction
999Used by TabaPay for Testing

AVS Response Codes

Response Code
for AVS
Description
YZip Code and Address were matched
ZZip Code was matched
NZip Code and Address were not matched
AZip Code was not matched but Address was matched
UAVS Information not available
RAVS unavailable, can retry later

Security Code Response Codes

Response Code
for Securtiy Code
Description
MSecurity Code was matched
NSecurity Code was not matched

Internal Error Codes

ECDescription
0OK
3A100000Retrieve Client
3C300000Query Card
3C400000Create Account
3A400000Retrieve Account
3B400000Update Account
3D400000Delete Account
3C500000Create Transaction
3A500000Retrieve Transaction
3B500000Update Transaction
3D500000Delete Transaction

Status Codes

Status CodeDescription
200OKThe API Request was successfully processed.
201CreatedTransaction Created, but Transaction Processing is Pending (batch).
207Multi-StatusOne or more upstream processing failed.
400Bad RequestThe ResourceID is invalid
or
The Request Data is invalid.
401UnAuthorizedThe Authorization Token is invalid
or
The IP Address is invalid (not whitelisted).
403ForbiddenInvalid permissions to access the Resource, please contact TabaPay support.
404Not FoundThe ResourceID does not point to a valid Resource.
405Method Not AllowedRequest Method Not Allowed for the Requested Resource.
406Not AcceptableOur Web Application Firewall (WAF) found something invalid in your request.
409ConflictReferenceID already used
or
Conflicting Request Parameters.
410GoneThe Resource pointed to by the ResourceID has been marked for deletion.
415Unsupported Media TypeContent-type must be application/json.
422Unprocessable EntityThe Resource pointed to by the ResourceID is in an invalid state
or
The Transaction Amount exceeded one or more Limits.
423LockedThe Resource pointed to by the ResourceID is locked.
429Too Many RequestsRetrieve: Too many requests, please do not poll.
Create Transaction: Over your Daily (24-hour rolling) Approximation Limit.
431Request Header Fields Too LargeToo many HTTP Header Lines and/or HTTP Header Lines too big.
500Server ErrorThere was a problem processing the Request.
502Bad GatewayProblem connecting to an Application Server.
503Service UnavailableYour request cannot be processed, should be only a Temporary Condition.
504Gateway TimeoutConnection to an Application Server timed out.

A 400 Series Error is usually something that you can fix by changing something in your request. A 500 Series Error is usually something that you need to contact us (support@TabaPay.com) to look at. If we determine that a 500 Series Error can be fixed by you, we will try to change this error situation to a 400 Series Error in a future code release.

Currency Numbers

We are using ISO 4217 Currency Numbers.
Currency NumberCurrency CodeCurrency Name
784AEDUnited Arab Emirates dirham
971AFNAfghan afghani
008ALLAlbanian lek
051AMDArmenian dram
532ANGNetherlands Antillean guilder
973AOAAngolan kwanza
032ARSArgentine peso
036AUDAustralian dollar
533AWGAruban florin
944AZNAzerbaijani manat
977BAMBosnia and Herzegovina convertible mark
052BBDBarbados dollar
050BDTBangladeshi taka
975BGNBulgarian lev
048BHDBahraini dinar
108BIFBurundian franc
060BMDBermudian dollar
096BNDBrunei dollar
068BOBBoliviano
984BOVBolivian Mvdol (funds code)
986BRLBrazilian real
044BSDBahamian dollar
064BTNBhutanese ngultrum
072BWPBotswana pula
933BYNBelarusian ruble
084BZDBelize dollar
124CADCanadian dollar
976CDFCongolese franc
947CHEWIR Euro (complementary currency)
756CHFSwiss franc
948CHWWIR Franc (complementary currency)
990CLFUnidad de Fomento (funds code)
152CLPChilean peso
156CNYChinese yuan
170COPColombian peso
970COUUnidad de Valor Real (UVR) (funds code)[7]
188CRCCosta Rican colon
931CUCCuban convertible peso
192CUPCuban peso
132CVECape Verde escudo
203CZKCzech koruna
262DJFDjiboutian franc
208DKKDanish krone
214DOPDominican peso
012DZDAlgerian dinar
818EGPEgyptian pound
232ERNEritrean nakfa
230ETBEthiopian birr
978EUREuro
242FJDFiji dollar
238FKPFalkland Islands pound
826GBPPound sterling
981GELGeorgian lari
936GHSGhanaian cedi
292GIPGibraltar pound
270GMDGambian dalasi
324GNFGuinean franc
320GTQGuatemalan quetzal
328GYDGuyanese dollar
344HKDHong Kong dollar
340HNLHonduran lempira
191HRKCroatian kuna
332HTGHaitian gourde
348HUFHungarian forint
360IDRIndonesian rupiah
376ILSIsraeli new shekel
356INRIndian rupee
368IQDIraqi dinar
364IRRIranian rial
352ISKIcelandic króna
388JMDJamaican dollar
400JODJordanian dinar
392JPYJapanese yen
404KESKenyan shilling
417KGSKyrgyzstani som
116KHRCambodian riel
174KMFComoro franc
408KPWNorth Korean won
410KRWSouth Korean won
414KWDKuwaiti dinar
136KYDCayman Islands dollar
398KZTKazakhstani tenge
418LAKLao kip
422LBPLebanese pound
144LKRSri Lankan rupee
430LRDLiberian dollar
426LSLLesotho loti
434LYDLibyan dinar
504MADMoroccan dirham
498MDLMoldovan leu
969MGAMalagasy ariary
807MKDMacedonian denar
104MMKMyanmar kyat
496MNTMongolian tögrög
446MOPMacanese pataca
478MROMauritanian ouguiya
480MURMauritian rupee
462MVRMaldivian rufiyaa
454MWKMalawian kwacha
484MXNMexican peso
979MXVMexican Unidad de Inversion (UDI) (funds code)
458MYRMalaysian ringgit
943MZNMozambican metical
516NADNamibian dollar
566NGNNigerian naira
558NIONicaraguan córdoba
578NOKNorwegian krone
524NPRNepalese rupee
554NZDNew Zealand dollar
512OMROmani rial
590PABPanamanian balboa
604PENPeruvian Sol
598PGKPapua New Guinean kina
608PHPPhilippine peso
586PKRPakistani rupee
985PLNPolish złoty
600PYGParaguayan guaraní
634QARQatari riyal
946RONRomanian leu
941RSDSerbian dinar
643RUBRussian ruble
646RWFRwandan franc
682SARSaudi riyal
090SBDSolomon Islands dollar
690SCRSeychelles rupee
938SDGSudanese pound
752SEKSwedish krona/kronor
702SGDSingapore dollar
654SHPSaint Helena pound
694SLLSierra Leonean leone
706SOSSomali shilling
968SRDSurinamese dollar
728SSPSouth Sudanese pound
678STDSão Tomé and Príncipe dobra
222SVCSalvadoran colón
760SYPSyrian pound
748SZLSwazi lilangeni
764THBThai baht
972TJSTajikistani somoni
934TMTTurkmenistani manat
788TNDTunisian dinar
776TOPTongan paʻanga
949TRYTurkish lira
780TTDTrinidad and Tobago dollar
901TWDNew Taiwan dollar
834TZSTanzanian shilling
980UAHUkrainian hryvnia
800UGXUgandan shilling
840USDUnited States dollar
997USNUnited States dollar (next day) (funds code)
940UYIUruguay Peso en Unidades Indexadas (URUIURUI) (funds code)
858UYUUruguayan peso
860UZSUzbekistan som
937VEFVenezuelan bolívar
704VNDVietnamese đồng
548VUVVanuatu vatu
882WSTSamoan tala
950XAFCFA franc BEAC
961XAGSilver (one troy ounce)
959XAUGold (one troy ounce)
955XBAEuropean Composite Unit (EURCO) (bond market unit)
956XBBEuropean Monetary Unit (E.M.U.-6) (bond market unit)
957XBCEuropean Unit of Account 9 (E.U.A.-9) (bond market unit)
958XBDEuropean Unit of Account 17 (E.U.A.-17) (bond market unit)
951XCDEast Caribbean dollar
960XDRSpecial drawing rights
952XOFCFA franc BCEAO
964XPDPalladium (one troy ounce)
953XPFCFP franc (franc Pacifique)
962XPTPlatinum (one troy ounce)
994XSUSUCRE
963XTSCode reserved for testing purposes
965XUAADB Unit of Account
999XXXNo currency
886YERYemeni rial
710ZARSouth African rand
967ZMWZambian kwacha
932ZWLZimbabwean dollar A/10

Country Codes

We are using ISO 3166-1 numeric (or numeric-3) codes.
Country CodeCountry Name
004Afghanistan
248Åland Islands
008Albania
012Algeria
016American Samoa
020Andorra
024Angola
660Anguilla
010Antarctica
028Antigua and Barbuda
032Argentina
051Armenia
533Aruba
036Australia
040Austria
031Azerbaijan
044Bahamas
048Bahrain
050Bangladesh
052Barbados
112Belarus
056Belgium
084Belize
204Benin
060Bermuda
064Bhutan
068Bolivia, Plurinational State of
535Bonaire, Sint Eustatius and Saba
070Bosnia and Herzegovina
072Botswana
074Bouvet Island
076Brazil
086British Indian Ocean Territory
096Brunei Darussalam
100Bulgaria
854Burkina Faso
108Burundi
132Cabo Verde
116Cambodia
120Cameroon
124Canada
136Cayman Islands
140Central African Republic
148Chad
152Chile
156China
162Christmas Island
166Cocos (Keeling) Islands
170Colombia
174Comoros
178Congo
180Congo, the Democratic Republic of the
184Cook Islands
188Costa Rica
384Côte d'Ivoire
191Croatia
192Cuba
531Curaçao
196Cyprus
203Czechia
208Denmark
262Djibouti
212Dominica
214Dominican Republic
218Ecuador
818Egypt
222El Salvador
226Equatorial Guinea
232Eritrea
233Estonia
231Ethiopia
238Falkland Islands (Malvinas)
234Faroe Islands
242Fiji
246Finland
250France
254French Guiana
258French Polynesia
260French Southern Territories
266Gabon
270Gambia
268Georgia
276Germany
288Ghana
292Gibraltar
300Greece
304Greenland
308Grenada
312Guadeloupe
316Guam
320Guatemala
831Guernsey
324Guinea
624Guinea-Bissau
328Guyana
332Haiti
334Heard Island and McDonald Islands
336Holy See
340Honduras
344Hong Kong
348Hungary
352Iceland
356India
360Indonesia
364Iran, Islamic Republic of
368Iraq
372Ireland
833Isle of Man
376Israel
380Italy
388Jamaica
392Japan
832Jersey
400Jordan
398Kazakhstan
404Kenya
296Kiribati
408Korea, Democratic People's Republic of
410Korea, Republic of
414Kuwait
417Kyrgyzstan
418Lao People's Democratic Republic
428Latvia
422Lebanon
426Lesotho
430Liberia
434Libya
438Liechtenstein
440Lithuania
442Luxembourg
446Macao
807Macedonia, the former Yugoslav Republic of
450Madagascar
454Malawi
458Malaysia
462Maldives
466Mali
470Malta
584Marshall Islands
474Martinique
478Mauritania
480Mauritius
175Mayotte
484Mexico
583Micronesia, Federated States of
498Moldova, Republic of
492Monaco
496Mongolia
499Montenegro
500Montserrat
504Morocco
508Mozambique
104Myanmar
516Namibia
520Nauru
524Nepal
528Netherlands
540New Caledonia
554New Zealand
558Nicaragua
562Niger
566Nigeria
570Niue
574Norfolk Island
580Northern Mariana Islands
578Norway
512Oman
586Pakistan
585Palau
275Palestine, State of
591Panama
598Papua New Guinea
600Paraguay
604Peru
608Philippines
612Pitcairn
616Poland
620Portugal
630Puerto Rico
634Qatar
638Réunion
642Romania
643Russian Federation
646Rwanda
652Saint Barthélemy
654Saint Helena, Ascension and Tristan da Cunha
659Saint Kitts and Nevis
662Saint Lucia
663Saint Martin (French part)
666Saint Pierre and Miquelon
670Saint Vincent and the Grenadines
882Samoa
674San Marino
678Sao Tome and Principe
682Saudi Arabia
686Senegal
688Serbia
690Seychelles
694Sierra Leone
702Singapore
534Sint Maarten (Dutch part)
703Slovakia
705Slovenia
090Solomon Islands
706Somalia
710South Africa
239South Georgia and the South Sandwich Islands
728South Sudan
724Spain
144Sri Lanka
729Sudan
740Suriname
744Svalbard and Jan Mayen
748Swaziland
752Sweden
756Switzerland
760Syrian Arab Republic
158Taiwan, Province of China
762Tajikistan
834Tanzania, United Republic of
764Thailand
626Timor-Leste
768Togo
772Tokelau
776Tonga
780Trinidad and Tobago
788Tunisia
792Turkey
795Turkmenistan
796Turks and Caicos Islands
798Tuvalu
800Uganda
804Ukraine
784United Arab Emirates
826United Kingdom
581United States Minor Outlying Islands
840United States of America
858Uruguay
860Uzbekistan
548Vanuatu
862Venezuela, Bolivarian Republic of
704Viet Nam
092Virgin Islands, British
850Virgin Islands, U.S.
876Wallis and Futuna
732Western Sahara
887Yemen
894Zambia
716Zimbabwe

State Codes

We are using the United States Postal Service 2-letter codes.
State CodeState NameState Numeric Code
ALAlabama01
AKAlaska02
AZArizona04
ARArkansas05
CACalifornia06
COColorado08
CTConnecticut09
DEDelaware10
DCDistrict of Columbia11
FLFlorida12
GAGeorgia13
HIHawaii15
IDIdaho16
ILIllinois17
INIndiana18
IAIowa19
KSKansas20
KYKentucky21
LALouisiana22
MEMaine23
MDMaryland24
MAMassachusetts25
MIMichigan26
MNMinnesota27
MSMississippi28
MOMissouri29
MTMontana30
NENebraska31
NVNevada32
NHNew Hampshire33
NJNew Jersey34
NMNew Mexico35
NYNew York36
NCNorth Carolina37
NDNorth Dakota38
OHOhio39
OKOklahoma40
OROregon41
PAPennsylvania42
RIRhode Island44
SCSouth Carolina45
SDSouth Dakota46
TNTennessee47
TXTexas48
UTUtah49
VTVermont50
VAVirginia51
WAWashington53
WVWest Virginia54
WIWisconsin55
WYWyoming56
ASAmerican Samoa00
GUGuam00
MPNorthern Mariana Islands00
PRPuerto Rico00
UMUnited States Minor Outlying Islands00
VIVirgin Islands00

Resource Statuses

Resource's StatusAny ResourceTransactionDescription
OKResource is in normal status.
LOCKEDResource is locked.
DELETEDResource is marked for deletion.
PENDINGTransaction processing started or waiting to be processed (batch).
FAILEDTransaction processing failed.
UNKNOWNTransaction processing result is unknown.
ERRORTransaction processing error.
COMPLETEDTransaction completed processing successfully.
REVERSEDA Request to Reverse a previous PULL Transaction was requested.
REVERSALA Request to Reverse a previous PULL Transaction was tried, however the status is unknown.

Transactions

The following tables shows the various statuses a Transaction Resource undergoes:

Transaction Successful

StatusDescription
OKTransaction created.
PENDINGTransaction processing started or waiting to be processed (batch).
COMPLETEDTransaction processed successfully.

Transaction Error

StatusDescription
OKTransaction created.
PENDINGTransaction processing started.
ERRORTransaction processing error, see Network Response Code.

Transaction Processing returned a non-successful Network Response Code from a Card Network.

Transaction Failed

StatusDescription
OKTransaction created.
PENDINGTransaction processing started.
FAILEDTransaction processing failed.

Transaction Processing failed. The Transaction was unsuccessful.

Transaction Result is Unknown

StatusDescription
OKTransaction created.
PENDINGTransaction processing started.
UNKNOWNTransaction processing result is unknown.

The Transaction could have been successful or not. Manual intervention is required to determine the status of the Transaction. Please contact support@TabaPay.com.

Transaction Timed Out so Result was originally Unknown but actually Successful

StatusDescription
OKTransaction created.
PENDINGTransaction processing started.
UNKNOWNTransaction processing result is unknown.
COMPLETEDTransaction processed successfully.

The Transaction timed out so the Transaction Status was originally set to UNKNOWN. Your request returned a Status Code of 207. The Transaction Processing continue to be processed. The final and actual Transaction is COMPLETED.

Transaction Timed Out so Result was originally Unknown but actually Failed

StatusDescription
OKTransaction created.
PENDINGTransaction processing started.
UNKNOWNTransaction processing result is unknown.
FAILEDTransaction processing failed.

The Transaction timed out so the Transaction Status was originally set to UNKNOWN. Your request returned a Status Code of 207. The Transaction Processing continue to be processed. Something did go wrong and so the final and actual Transaction is FAILED.

Transaction Successful but a Request to Reverse the Transaction was requested

StatusDescription
OKTransaction created.
PENDINGTransaction processing started or waiting to be processed (batch).
COMPLETEDTransaction processed successfully.
REVERSEDTransaction Reversal was requested.

Transaction Successful but a Request to Reverse the Transaction was tried

StatusDescription
OKTransaction created.
PENDINGTransaction processing started or waiting to be processed (batch).
COMPLETEDTransaction processed successfully.
REVERSALTransaction Reversal was tried, however the status is unknown.

Test Cards

PCI requires us and you to use Test Card Numbers when testing. You should never use a real Card Number in the Sandbox Environment. The following Card Numbers were randomly created, if they happen by chance to be a real Card Number, it is purely by coincidence only. Sample Card Numbers by Networks:
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
STAR
9010100999999995✘ No✘ Not Valid✘ Not Valid
9010101999999993✘ No✘ Not Valid
9010102999999991✘ No✘ Not Valid
9010103999999999✘ No✘ Not Valid
9010110999999994✘ No✘ Not Valid
9010111999999992✘ No
9010112999999990✘ No
9010113999999998✘ No
9010200999999993✘ No✘ Not Valid✘ Not Valid
9010201999999991✘ No✘ Not Valid
9010202999999999✘ No✘ Not Valid
9010203999999997✘ No✘ Not Valid
9010210999999992✘ No✘ Not Valid
9010211999999990✘ No
9010212999999998✘ No
9010213999999996✘ No
9010300999999991✘ No✘ Not Valid✘ Not Valid
9010301999999999✘ No✘ Not Valid
9010302999999997✘ No✘ Not Valid
9010303999999995✘ No✘ Not Valid
9010310999999990✘ No✘ Not Valid
9010311999999998✘ No
9010312999999996✘ No
9010313999999994✘ No
9011100999999994✔ Yes✘ Not Valid✘ Not Valid
9011101999999992✔ Yes✘ Not Valid
9011102999999990✔ Yes✘ Not Valid
9011103999999998✔ Yes✘ Not Valid
9011110999999993✔ Yes✘ Not Valid
9011111999999991✔ Yes
9011112999999999✔ Yes
9011113999999997✔ Yes
9011200999999992✔ Yes✘ Not Valid✘ Not Valid
9011201999999990✔ Yes✘ Not Valid
9011202999999998✔ Yes✘ Not Valid
9011203999999996✔ Yes✘ Not Valid
9011210999999991✔ Yes✘ Not Valid
9011211999999999✔ Yes
9011212999999997✔ Yes
9011213999999995✔ Yes
9011300999999990✔ Yes✘ Not Valid✘ Not Valid
9011301999999998✔ Yes✘ Not Valid
9011302999999996✔ Yes✘ Not Valid
9011303999999994✔ Yes✘ Not Valid
9011310999999999✔ Yes✘ Not Valid
9011311999999997✔ Yes
9011312999999995✔ Yes
9011313999999993✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
Pulse
9020100999999993✘ No✘ Not Valid✘ Not Valid
9020101999999991✘ No✘ Not Valid
9020102999999999✘ No✘ Not Valid
9020103999999997✘ No✘ Not Valid
9020110999999992✘ No✘ Not Valid
9020111999999990✘ No
9020112999999998✘ No
9020113999999996✘ No
9020200999999991✘ No✘ Not Valid✘ Not Valid
9020201999999999✘ No✘ Not Valid
9020202999999997✘ No✘ Not Valid
9020203999999995✘ No✘ Not Valid
9020210999999990✘ No✘ Not Valid
9020211999999998✘ No
9020212999999996✘ No
9020213999999994✘ No
9020300999999999✘ No✘ Not Valid✘ Not Valid
9020301999999997✘ No✘ Not Valid
9020302999999995✘ No✘ Not Valid
9020303999999993✘ No✘ Not Valid
9020310999999998✘ No✘ Not Valid
9020311999999996✘ No
9020312999999994✘ No
9020313999999992✘ No
9021100999999992✔ Yes✘ Not Valid✘ Not Valid
9021101999999990✔ Yes✘ Not Valid
9021102999999998✔ Yes✘ Not Valid
9021103999999996✔ Yes✘ Not Valid
9021110999999991✔ Yes✘ Not Valid
9021111999999999✔ Yes
9021112999999997✔ Yes
9021113999999995✔ Yes
9021200999999990✔ Yes✘ Not Valid✘ Not Valid
9021201999999998✔ Yes✘ Not Valid
9021202999999996✔ Yes✘ Not Valid
9021203999999994✔ Yes✘ Not Valid
9021210999999999✔ Yes✘ Not Valid
9021211999999997✔ Yes
9021212999999995✔ Yes
9021213999999993✔ Yes
9021300999999998✔ Yes✘ Not Valid✘ Not Valid
9021301999999996✔ Yes✘ Not Valid
9021302999999994✔ Yes✘ Not Valid
9021303999999992✔ Yes✘ Not Valid
9021310999999997✔ Yes✘ Not Valid
9021311999999995✔ Yes
9021312999999993✔ Yes
9021313999999991✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
NYCE
9030100999999991✘ No✘ Not Valid✘ Not Valid
9030101999999999✘ No✘ Not Valid
9030102999999997✘ No✘ Not Valid
9030103999999995✘ No✘ Not Valid
9030110999999990✘ No✘ Not Valid
9030111999999998✘ No
9030112999999996✘ No
9030113999999994✘ No
9030200999999999✘ No✘ Not Valid✘ Not Valid
9030201999999997✘ No✘ Not Valid
9030202999999995✘ No✘ Not Valid
9030203999999993✘ No✘ Not Valid
9030210999999998✘ No✘ Not Valid
9030211999999996✘ No
9030212999999994✘ No
9030213999999992✘ No
9030300999999997✘ No✘ Not Valid✘ Not Valid
9030301999999995✘ No✘ Not Valid
9030302999999993✘ No✘ Not Valid
9030303999999991✘ No✘ Not Valid
9030310999999996✘ No✘ Not Valid
9030311999999994✘ No
9030312999999992✘ No
9030313999999990✘ No
9031100999999990✔ Yes✘ Not Valid✘ Not Valid
9031101999999998✔ Yes✘ Not Valid
9031102999999996✔ Yes✘ Not Valid
9031103999999994✔ Yes✘ Not Valid
9031110999999999✔ Yes✘ Not Valid
9031111999999997✔ Yes
9031112999999995✔ Yes
9031113999999993✔ Yes
9031200999999998✔ Yes✘ Not Valid✘ Not Valid
9031201999999996✔ Yes✘ Not Valid
9031202999999994✔ Yes✘ Not Valid
9031203999999992✔ Yes✘ Not Valid
9031210999999997✔ Yes✘ Not Valid
9031211999999995✔ Yes
9031212999999993✔ Yes
9031213999999991✔ Yes
9031300999999996✔ Yes✘ Not Valid✘ Not Valid
9031301999999994✔ Yes✘ Not Valid
9031302999999992✔ Yes✘ Not Valid
9031303999999990✔ Yes✘ Not Valid
9031310999999995✔ Yes✘ Not Valid
9031311999999993✔ Yes
9031312999999991✔ Yes
9031313999999999✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
CU24
9050100999999996✘ No✘ Not Valid✘ Not Valid
9050101999999994✘ No✘ Not Valid
9050102999999992✘ No✘ Not Valid
9050103999999990✘ No✘ Not Valid
9050110999999995✘ No✘ Not Valid
9050111999999993✘ No
9050112999999991✘ No
9050113999999999✘ No
9050200999999994✘ No✘ Not Valid✘ Not Valid
9050201999999992✘ No✘ Not Valid
9050202999999990✘ No✘ Not Valid
9050203999999998✘ No✘ Not Valid
9050210999999993✘ No✘ Not Valid
9050211999999991✘ No
9050212999999999✘ No
9050213999999997✘ No
9050300999999992✘ No✘ Not Valid✘ Not Valid
9050301999999990✘ No✘ Not Valid
9050302999999998✘ No✘ Not Valid
9050303999999996✘ No✘ Not Valid
9050310999999991✘ No✘ Not Valid
9050311999999999✘ No
9050312999999997✘ No
9050313999999995✘ No
9051100999999995✔ Yes✘ Not Valid✘ Not Valid
9051101999999993✔ Yes✘ Not Valid
9051102999999991✔ Yes✘ Not Valid
9051103999999999✔ Yes✘ Not Valid
9051110999999994✔ Yes✘ Not Valid
9051111999999992✔ Yes
9051112999999990✔ Yes
9051113999999998✔ Yes
9051200999999993✔ Yes✘ Not Valid✘ Not Valid
9051201999999991✔ Yes✘ Not Valid
9051202999999999✔ Yes✘ Not Valid
9051203999999997✔ Yes✘ Not Valid
9051210999999992✔ Yes✘ Not Valid
9051211999999990✔ Yes
9051212999999998✔ Yes
9051213999999996✔ Yes
9051300999999991✔ Yes✘ Not Valid✘ Not Valid
9051301999999999✔ Yes✘ Not Valid
9051302999999997✔ Yes✘ Not Valid
9051303999999995✔ Yes✘ Not Valid
9051310999999990✔ Yes✘ Not Valid
9051311999999998✔ Yes
9051312999999996✔ Yes
9051313999999994✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
Accel
9080100999999990✘ No✘ Not Valid✘ Not Valid
9080101999999998✘ No✘ Not Valid
9080102999999996✘ No✘ Not Valid
9080103999999994✘ No✘ Not Valid
9080110999999999✘ No✘ Not Valid
9080111999999997✘ No
9080112999999995✘ No
9080113999999993✘ No
9080200999999998✘ No✘ Not Valid✘ Not Valid
9080201999999996✘ No✘ Not Valid
9080202999999994✘ No✘ Not Valid
9080203999999992✘ No✘ Not Valid
9080210999999997✘ No✘ Not Valid
9080211999999995✘ No
9080212999999993✘ No
9080213999999991✘ No
9080300999999996✘ No✘ Not Valid✘ Not Valid
9080301999999994✘ No✘ Not Valid
9080302999999992✘ No✘ Not Valid
9080303999999990✘ No✘ Not Valid
9080310999999995✘ No✘ Not Valid
9080311999999993✘ No
9080312999999991✘ No
9080313999999999✘ No
9081100999999999✔ Yes✘ Not Valid✘ Not Valid
9081101999999997✔ Yes✘ Not Valid
9081102999999995✔ Yes✘ Not Valid
9081103999999993✔ Yes✘ Not Valid
9081110999999998✔ Yes✘ Not Valid
9081111999999996✔ Yes
9081112999999994✔ Yes
9081113999999992✔ Yes
9081200999999997✔ Yes✘ Not Valid✘ Not Valid
9081201999999995✔ Yes✘ Not Valid
9081202999999993✔ Yes✘ Not Valid
9081203999999991✔ Yes✘ Not Valid
9081210999999996✔ Yes✘ Not Valid
9081211999999994✔ Yes
9081212999999992✔ Yes
9081213999999990✔ Yes
9081300999999995✔ Yes✘ Not Valid✘ Not Valid
9081301999999993✔ Yes✘ Not Valid
9081302999999991✔ Yes✘ Not Valid
9081303999999999✔ Yes✘ Not Valid
9081310999999994✔ Yes✘ Not Valid
9081311999999992✔ Yes
9081312999999990✔ Yes
9081313999999998✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
Visa
9400100999999993✘ No✘ Not Valid✘ Not Valid
9400101999999991✘ No✘ Not Valid
9400102999999999✘ No✘ Not Valid
9400103999999997✘ No✘ Not Valid
9400110999999992✘ No✘ Not Valid
9400111999999990✘ No
9400112999999998✘ No
9400113999999996✘ No
9400120999999991✘ No✘ Not Valid
9400121999999999✘ No
9400122999999997✘ No
9400123999999995✘ No
9400200999999991✘ No✘ Not Valid✘ Not Valid
9400201999999999✘ No✘ Not Valid
9400202999999997✘ No✘ Not Valid
9400203999999995✘ No✘ Not Valid
9400210999999990✘ No✘ Not Valid
9400211999999998✘ No
9400212999999996✘ No
9400213999999994✘ No
9400220999999999✘ No✘ Not Valid
9400221999999997✘ No
9400222999999995✘ No
9400223999999993✘ No
9400300999999999✘ No✘ Not Valid✘ Not Valid
9400301999999997✘ No✘ Not Valid
9400302999999995✘ No✘ Not Valid
9400303999999993✘ No✘ Not Valid
9400310999999998✘ No✘ Not Valid
9400311999999996✘ No
9400312999999994✘ No
9400313999999992✘ No
9400320999999997✘ No✘ Not Valid
9400321999999995✘ No
9400322999999993✘ No
9400323999999991✘ No
9401100999999992✔ Yes✘ Not Valid✘ Not Valid
9401101999999990✔ Yes✘ Not Valid
9401102999999998✔ Yes✘ Not Valid
9401103999999996✔ Yes✘ Not Valid
9401110999999991✔ Yes✘ Not Valid
9401111999999999✔ Yes
9401112999999997✔ Yes
9401113999999995✔ Yes
9401120999999990✔ Yes✘ Not Valid
9401121999999998✔ Yes
9401122999999996✔ Yes
9401123999999994✔ Yes
9401200999999990✔ Yes✘ Not Valid✘ Not Valid
9401201999999998✔ Yes✘ Not Valid
9401202999999996✔ Yes✘ Not Valid
9401203999999994✔ Yes✘ Not Valid
9401210999999999✔ Yes✘ Not Valid
9401211999999997✔ Yes
9401212999999995✔ Yes
9401213999999993✔ Yes
9401220999999998✔ Yes✘ Not Valid
9401221999999996✔ Yes
9401222999999994✔ Yes
9401223999999992✔ Yes
9401300999999998✔ Yes✘ Not Valid✘ Not Valid
9401301999999996✔ Yes✘ Not Valid
9401302999999994✔ Yes✘ Not Valid
9401303999999992✔ Yes✘ Not Valid
9401310999999997✔ Yes✘ Not Valid
9401311999999995✔ Yes
9401312999999993✔ Yes
9401313999999991✔ Yes
9401320999999996✔ Yes✘ Not Valid
9401321999999994✔ Yes
9401322999999992✔ Yes
9401323999999990✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
VisaFF
9940101999999998✘ No✘ Not Valid
9940201999999996✘ No✘ Not Valid
9940301999999994✘ No✘ Not Valid
9941101999999997✔ Yes✘ Not Valid
9941201999999995✔ Yes✘ Not Valid
9941301999999993✔ Yes✘ Not Valid
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
MasterCard
9500100999999992✘ No✘ Not Valid✘ Not Valid
9500110999999991✘ No✘ Not Valid
9500120999999990✘ No✘ Not Valid
9500200999999990✘ No✘ Not Valid✘ Not Valid
9500210999999999✘ No✘ Not Valid
9500220999999998✘ No✘ Not Valid
9500300999999998✘ No✘ Not Valid✘ Not Valid
9500310999999997✘ No✘ Not Valid
9500320999999996✘ No✘ Not Valid
9501100999999991✔ Yes✘ Not Valid✘ Not Valid
9501110999999990✔ Yes✘ Not Valid
9501120999999999✔ Yes✘ Not Valid
9501200999999999✔ Yes✘ Not Valid✘ Not Valid
9501210999999998✔ Yes✘ Not Valid
9501220999999997✔ Yes✘ Not Valid
9501300999999997✔ Yes✘ Not Valid✘ Not Valid
9501310999999996✔ Yes✘ Not Valid
9501320999999995✔ Yes✘ Not Valid
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
MoneySend
9950101999999995✘ No✘ Not Valid
9950201999999993✘ No✘ Not Valid
9950301999999991✘ No✘ Not Valid
9950102999999993✘ No✘ Not Valid
9950202999999991✘ No✘ Not Valid
9950302999999999✘ No✘ Not Valid
9950103999999991✘ No✘ Not Valid
9950203999999999✘ No✘ Not Valid
9950303999999997✘ No✘ Not Valid
9951101999999994✔ Yes✘ Not Valid
9951201999999992✔ Yes✘ Not Valid
9951301999999990✔ Yes✘ Not Valid
9951102999999992✔ Yes✘ Not Valid
9951202999999990✔ Yes✘ Not Valid
9951302999999998✔ Yes✘ Not Valid
9951103999999990✔ Yes✘ Not Valid
9951203999999998✔ Yes✘ Not Valid
9951303999999996✔ Yes✘ Not Valid
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
STAR

Visa

9410100999999991✘ No✘ Not Valid✘ Not Valid
9410101999999999✘ No✘ Not Valid
9410102999999997✘ No✘ Not Valid
9410103999999995✘ No✘ Not Valid
9410110999999990✘ No✘ Not Valid
9410111999999998✘ No
9410112999999996✘ No
9410113999999994✘ No
9410200999999999✘ No✘ Not Valid✘ Not Valid
9410201999999997✘ No✘ Not Valid
9410202999999995✘ No✘ Not Valid
9410203999999993✘ No✘ Not Valid
9410210999999998✘ No✘ Not Valid
9410211999999996✘ No
9410212999999994✘ No
9410213999999992✘ No
9410300999999997✘ No✘ Not Valid✘ Not Valid
9410301999999995✘ No✘ Not Valid
9410302999999993✘ No✘ Not Valid
9410303999999991✘ No✘ Not Valid
9410310999999996✘ No✘ Not Valid
9410311999999994✘ No
9410312999999992✘ No
9410313999999990✘ No
9411100999999990✔ Yes✘ Not Valid✘ Not Valid
9411101999999998✔ Yes✘ Not Valid
9411102999999996✔ Yes✘ Not Valid
9411103999999994✔ Yes✘ Not Valid
9411110999999999✔ Yes✘ Not Valid
9411111999999997✔ Yes
9411112999999995✔ Yes
9411113999999993✔ Yes
9411200999999998✔ Yes✘ Not Valid✘ Not Valid
9411201999999996✔ Yes✘ Not Valid
9411202999999994✔ Yes✘ Not Valid
9411203999999992✔ Yes✘ Not Valid
9411210999999997✔ Yes✘ Not Valid
9411211999999995✔ Yes
9411212999999993✔ Yes
9411213999999991✔ Yes
9411300999999996✔ Yes✘ Not Valid✘ Not Valid
9411301999999994✔ Yes✘ Not Valid
9411302999999992✔ Yes✘ Not Valid
9411303999999990✔ Yes✘ Not Valid
9411310999999995✔ Yes✘ Not Valid
9411311999999993✔ Yes
9411312999999991✔ Yes
9411313999999999✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
Pulse

Visa

9420100999999999✘ No✘ Not Valid✘ Not Valid
9420101999999997✘ No✘ Not Valid
9420102999999995✘ No✘ Not Valid
9420103999999993✘ No✘ Not Valid
9420110999999998✘ No✘ Not Valid
9420111999999996✘ No
9420112999999994✘ No
9420113999999992✘ No
9420200999999997✘ No✘ Not Valid✘ Not Valid
9420201999999995✘ No✘ Not Valid
9420202999999993✘ No✘ Not Valid
9420203999999991✘ No✘ Not Valid
9420210999999996✘ No✘ Not Valid
9420211999999994✘ No
9420212999999992✘ No
9420213999999990✘ No
9420300999999995✘ No✘ Not Valid✘ Not Valid
9420301999999993✘ No✘ Not Valid
9420302999999991✘ No✘ Not Valid
9420303999999999✘ No✘ Not Valid
9420310999999994✘ No✘ Not Valid
9420311999999992✘ No
9420312999999990✘ No
9420313999999998✘ No
9421100999999998✔ Yes✘ Not Valid✘ Not Valid
9421101999999996✔ Yes✘ Not Valid
9421102999999994✔ Yes✘ Not Valid
9421103999999992✔ Yes✘ Not Valid
9421110999999997✔ Yes✘ Not Valid
9421111999999995✔ Yes
9421112999999993✔ Yes
9421113999999991✔ Yes
9421200999999996✔ Yes✘ Not Valid✘ Not Valid
9421201999999994✔ Yes✘ Not Valid
9421202999999992✔ Yes✘ Not Valid
9421203999999990✔ Yes✘ Not Valid
9421210999999995✔ Yes✘ Not Valid
9421211999999993✔ Yes
9421212999999991✔ Yes
9421213999999999✔ Yes
9421300999999994✔ Yes✘ Not Valid✘ Not Valid
9421301999999992✔ Yes✘ Not Valid
9421302999999990✔ Yes✘ Not Valid
9421303999999998✔ Yes✘ Not Valid
9421310999999993✔ Yes✘ Not Valid
9421311999999991✔ Yes
9421312999999999✔ Yes
9421313999999997✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
NYCE

Visa

9430100999999997✘ No✘ Not Valid✘ Not Valid
9430101999999995✘ No✘ Not Valid
9430102999999993✘ No✘ Not Valid
9430103999999991✘ No✘ Not Valid
9430110999999996✘ No✘ Not Valid
9430111999999994✘ No
9430112999999992✘ No
9430113999999990✘ No
9430200999999995✘ No✘ Not Valid✘ Not Valid
9430201999999993✘ No✘ Not Valid
9430202999999991✘ No✘ Not Valid
9430203999999999✘ No✘ Not Valid
9430210999999994✘ No✘ Not Valid
9430211999999992✘ No
9430212999999990✘ No
9430213999999998✘ No
9430300999999993✘ No✘ Not Valid✘ Not Valid
9430301999999991✘ No✘ Not Valid
9430302999999999✘ No✘ Not Valid
9430303999999997✘ No✘ Not Valid
9430310999999992✘ No✘ Not Valid
9430311999999990✘ No
9430312999999998✘ No
9430313999999996✘ No
9431100999999996✔ Yes✘ Not Valid✘ Not Valid
9431101999999994✔ Yes✘ Not Valid
9431102999999992✔ Yes✘ Not Valid
9431103999999990✔ Yes✘ Not Valid
9431110999999995✔ Yes✘ Not Valid
9431111999999993✔ Yes
9431112999999991✔ Yes
9431113999999999✔ Yes
9431200999999994✔ Yes✘ Not Valid✘ Not Valid
9431201999999992✔ Yes✘ Not Valid
9431202999999990✔ Yes✘ Not Valid
9431203999999998✔ Yes✘ Not Valid
9431210999999993✔ Yes✘ Not Valid
9431211999999991✔ Yes
9431212999999999✔ Yes
9431213999999997✔ Yes
9431300999999992✔ Yes✘ Not Valid✘ Not Valid
9431301999999990✔ Yes✘ Not Valid
9431302999999998✔ Yes✘ Not Valid
9431303999999996✔ Yes✘ Not Valid
9431310999999991✔ Yes✘ Not Valid
9431311999999999✔ Yes
9431312999999997✔ Yes
9431313999999995✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
CU24

Visa

9450100999999992✘ No✘ Not Valid✘ Not Valid
9450101999999990✘ No✘ Not Valid
9450102999999998✘ No✘ Not Valid
9450103999999996✘ No✘ Not Valid
9450110999999991✘ No✘ Not Valid
9450111999999999✘ No
9450112999999997✘ No
9450113999999995✘ No
9450200999999990✘ No✘ Not Valid✘ Not Valid
9450201999999998✘ No✘ Not Valid
9450202999999996✘ No✘ Not Valid
9450203999999994✘ No✘ Not Valid
9450210999999999✘ No✘ Not Valid
9450211999999997✘ No
9450212999999995✘ No
9450213999999993✘ No
9450300999999998✘ No✘ Not Valid✘ Not Valid
9450301999999996✘ No✘ Not Valid
9450302999999994✘ No✘ Not Valid
9450303999999992✘ No✘ Not Valid
9450310999999997✘ No✘ Not Valid
9450311999999995✘ No
9450312999999993✘ No
9450313999999991✘ No
9451100999999991✔ Yes✘ Not Valid✘ Not Valid
9451101999999999✔ Yes✘ Not Valid
9451102999999997✔ Yes✘ Not Valid
9451103999999995✔ Yes✘ Not Valid
9451110999999990✔ Yes✘ Not Valid
9451111999999998✔ Yes
9451112999999996✔ Yes
9451113999999994✔ Yes
9451200999999999✔ Yes✘ Not Valid✘ Not Valid
9451201999999997✔ Yes✘ Not Valid
9451202999999995✔ Yes✘ Not Valid
9451203999999993✔ Yes✘ Not Valid
9451210999999998✔ Yes✘ Not Valid
9451211999999996✔ Yes
9451212999999994✔ Yes
9451213999999992✔ Yes
9451300999999997✔ Yes✘ Not Valid✘ Not Valid
9451301999999995✔ Yes✘ Not Valid
9451302999999993✔ Yes✘ Not Valid
9451303999999991✔ Yes✘ Not Valid
9451310999999996✔ Yes✘ Not Valid
9451311999999994✔ Yes
9451312999999992✔ Yes
9451313999999990✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
Accel

Visa

9480100999999996✘ No✘ Not Valid✘ Not Valid
9480101999999994✘ No✘ Not Valid
9480102999999992✘ No✘ Not Valid
9480103999999990✘ No✘ Not Valid
9480110999999995✘ No✘ Not Valid
9480111999999993✘ No
9480112999999991✘ No
9480113999999999✘ No
9480200999999994✘ No✘ Not Valid✘ Not Valid
9480201999999992✘ No✘ Not Valid
9480202999999990✘ No✘ Not Valid
9480203999999998✘ No✘ Not Valid
9480210999999993✘ No✘ Not Valid
9480211999999991✘ No
9480212999999999✘ No
9480213999999997✘ No
9480300999999992✘ No✘ Not Valid✘ Not Valid
9480301999999990✘ No✘ Not Valid
9480302999999998✘ No✘ Not Valid
9480303999999996✘ No✘ Not Valid
9480310999999991✘ No✘ Not Valid
9480311999999999✘ No
9480312999999997✘ No
9480313999999995✘ No
9481100999999995✔ Yes✘ Not Valid✘ Not Valid
9481101999999993✔ Yes✘ Not Valid
9481102999999991✔ Yes✘ Not Valid
9481103999999999✔ Yes✘ Not Valid
9481110999999994✔ Yes✘ Not Valid
9481111999999992✔ Yes
9481112999999990✔ Yes
9481113999999998✔ Yes
9481200999999993✔ Yes✘ Not Valid✘ Not Valid
9481201999999991✔ Yes✘ Not Valid
9481202999999999✔ Yes✘ Not Valid
9481203999999997✔ Yes✘ Not Valid
9481210999999992✔ Yes✘ Not Valid
9481211999999990✔ Yes
9481212999999998✔ Yes
9481213999999996✔ Yes
9481300999999991✔ Yes✘ Not Valid✘ Not Valid
9481301999999999✔ Yes✘ Not Valid
9481302999999997✔ Yes✘ Not Valid
9481303999999995✔ Yes✘ Not Valid
9481310999999990✔ Yes✘ Not Valid
9481311999999998✔ Yes
9481312999999996✔ Yes
9481313999999994✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
STAR

Pulse

Visa

9710100999999998✘ No✘ Not Valid✘ Not Valid
9710101999999996✘ No✘ Not Valid
9710102999999994✘ No✘ Not Valid
9710103999999992✘ No✘ Not Valid
9710110999999997✘ No✘ Not Valid
9710111999999995✘ No
9710112999999993✘ No
9710113999999991✘ No
9710200999999996✘ No✘ Not Valid✘ Not Valid
9710201999999994✘ No✘ Not Valid
9710202999999992✘ No✘ Not Valid
9710203999999990✘ No✘ Not Valid
9710210999999995✘ No✘ Not Valid
9710211999999993✘ No
9710212999999991✘ No
9710213999999999✘ No
9710300999999994✘ No✘ Not Valid✘ Not Valid
9710301999999992✘ No✘ Not Valid
9710302999999990✘ No✘ Not Valid
9710303999999998✘ No✘ Not Valid
9710310999999993✘ No✘ Not Valid
9710311999999991✘ No
9710312999999999✘ No
9710313999999997✘ No
9711100999999997✔ Yes✘ Not Valid✘ Not Valid
9711101999999995✔ Yes✘ Not Valid
9711102999999993✔ Yes✘ Not Valid
9711103999999991✔ Yes✘ Not Valid
9711110999999996✔ Yes✘ Not Valid
9711111999999994✔ Yes
9711112999999992✔ Yes
9711113999999990✔ Yes
9711200999999995✔ Yes✘ Not Valid✘ Not Valid
9711201999999993✔ Yes✘ Not Valid
9711202999999991✔ Yes✘ Not Valid
9711203999999999✔ Yes✘ Not Valid
9711210999999994✔ Yes✘ Not Valid
9711211999999992✔ Yes
9711212999999990✔ Yes
9711213999999998✔ Yes
9711300999999993✔ Yes✘ Not Valid✘ Not Valid
9711301999999991✔ Yes✘ Not Valid
9711302999999999✔ Yes✘ Not Valid
9711303999999997✔ Yes✘ Not Valid
9711310999999992✔ Yes✘ Not Valid
9711311999999990✔ Yes
9711312999999998✔ Yes
9711313999999996✔ Yes
top
Network
Card NumberRegulatedCard TypePull (Type)Push (Availability)
DebitCreditPrePaidSingleDualImmediateNextFew
Credit Cards

9810203999999999✘ No✘ Not Valid

Sample Flows

There are only a few simple flows:

Retrieve Client's Attributes (Information)
 
API CallDescription
1Retrieve ClientClient Attributes:
  • Networks
  • Limits
 
 
Create Key (optional)
 
API CallDescription
2Create KeyEncryption Key
RSA Public Key
 
 
Transaction using an Account (Tokenization)
 
API CallDescription
3Query CardCard Attributes
API CallDescription
4Create AccountType: Card
API CallDescription
5Create Transaction
Push
Transaction:
  • Source: Settlement
  • Destination: Account
API CallDescription
6Create Transaction
Pull
Transaction:
  • Source: Account
  • Destination: Settlement
 
 
One Time Transaction
 
API CallDescription
7Query CardCard Attributes
API CallDescription
8Create Transaction
Push
Transaction:
  • Source: Settlement
  • Destination: Card
API CallDescription
9Create Transaction
Pull
Transaction:
  • Source: Card
  • Destination: Settlement
 
 
Optionally Retrieve an Account, Update an Account, or Delete an Account
 
API CallDescription
10Retrieve Account
API CallDescription
11Update AccountType: Card
API CallDescription
12Delete Account
 
 
Optionally Retrieve Transaction Information
 
API CallDescription
13Retrieve Transaction
API CallDescription
14Retrieve Transaction
  1. Retrieve Client
  2. Create Key (optional)
  3. Query Card
  4. Create Account
  5. Create Transaction - Push
  6. Create Transaction - Pull
  7. Query Card
  8. Create Transaction - Push
  9. Create Transaction - Pull
  10. Retrieve Account
  11. Update Account
  12. Delete Account
  13. Retrieve Transaction
  14. Retrieve Transaction

Code Samples

There is no SDK because the TabaPay Web Service (API) is just a simple RESTful Web Service that uses standard HTTPS to:where the Request Data and the Response Data are formatted using standard JSON.

Therefore, you can use almost any programming language. We assume that you are an expert in the language you have selected to use.

You can also use command line utilities such as:

If you need help in using the TabaPay Web Service (API), we recommend using one of the command line utilities first. By doing this first, it eliminates any language specific issues or uniquenesses, and since there are so many programming languages available today, we may not be an expert in (or even have used) the language you are trying to use. Also, by doing this first, it can help eliminate networking issues such as firewalls blocking the requests and/or responses.

We do provide some simple samples in various common programming languages:

These are meant to be simple samples and are not meant for production use.

curl

A GET Request (Retrieve Client):
curl https://<FQDN>/v1/clients/<ClientID>
     -H "Authorization: Bearer <TokenValue>"
A POST Request (Query Card):
curl https://<FQDN>/v1/clients/<ClientID>/cards
     -H "Authorization: Bearer <TokenValue>"
     -H "Content-type: application/json"
     -X POST
     -d "{\"card\":{\"accountNumber\":\"9999999999999999\"}}"
These were last tested successfully using:

wget

A GET Request (Retrieve Client):
wget -qO-
     https://<FQDN>/v1/clients/<ClientID>
     --header "Authorization: Bearer <TokenValue>"
A POST Request (Query Card):
wget -qO-
     https://<FQDN>/v1/clients/<ClientID>/cards
     --header "Authorization: Bearer <TokenValue>"
     --header "Content-type: application/json"
     --post-data "{\"card\":{\"accountNumber\":\"9999999999999999\"}}"
These were last tested successfully using:

openssl s_client

A GET Request (Retrieve Client):
openssl s_client -connect <FQDN>:443

GET /v1/clients/<ClientID> HTTP/1.0
Authorization: Bearer <TokenValue>

A POST Request (Query Card):
openssl s_client -connect <FQDN>:443

POST /v1/clients/<ClientID>/cards HTTP/1.0
Authorization: Bearer <TokenValue>
Content-type: application/json
Content-length: 45

{"card":{"accountNumber":"9999999999999999"}}
These were last tested successfully using:

Java

A GET Request (Retrieve Client):
import java.io.InputStream;
import java.net.URL;

import javax.net.ssl.HttpsURLConnection;

public class Sample
{
    public static void main( String[] asArgs )
    {
        try
        {
            URL urlService = new URL( "https://<FQDN>/v1/clients/<ClientID>" );

            HttpsURLConnection connectionService =
                (HttpsURLConnection) urlService.openConnection();

            connectionService.setRequestMethod( "GET" );
            connectionService.setRequestProperty(
                "Authorization", "Bearer " + "<TokenValue>"
            );

            int iStatusCode = connectionService.getResponseCode();
            System.out.println( "TabaPay API Call, SC=" + iStatusCode );

            InputStream insResponse = iStatusCode == 200
                                    ? connectionService.getInputStream()
                                    : connectionService.getErrorStream();

            byte[] abResponse  = new byte[1024];
            int    iLengthRead = insResponse.read( abResponse );
            insResponse.close();

            System.out.println( new String( abResponse, 0, iLengthRead, "UTF-8" ) );
        }
        catch ( Throwable t )
        {
            t.printStackTrace();
        }
    }
}
A POST Request (Query Card):
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;

import javax.net.ssl.HttpsURLConnection;

public class Sample
{
    public static void main( String[] asArgs )
    {
        try
        {
            URL urlService = new URL( "https://<FQDN>/v1/clients/<ClientID>/cards" );

            HttpsURLConnection connectionService =
                (HttpsURLConnection) urlService.openConnection();

            connectionService.setRequestMethod( "POST" );
            connectionService.setRequestProperty(
                "Authorization", "Bearer " + "<TokenValue>"
            );
            connectionService.setRequestProperty(
                "Content-type", "application/json"
            );

            byte[] abDataRequest =
                "{\"card\":{\"accountNumber\":\"9999999999999999\"}}".getBytes( "UTF-8" );

            connectionService.setDoOutput( true );
            OutputStream outsRequest = connectionService.getOutputStream();
            outsRequest.write( abDataRequest, 0, abDataRequest.length );
            outsRequest.close();

            int iStatusCode = connectionService.getResponseCode();
            System.out.println( "TabaPay API Call, SC=" + iStatusCode );

            InputStream insResponse = iStatusCode == 200
                                    ? connectionService.getInputStream()
                                    : connectionService.getErrorStream();

            byte[] abResponse  = new byte[1024];
            int    iLengthRead = insResponse.read( abResponse );
            insResponse.close();

            System.out.println( new String( abResponse, 0, iLengthRead, "UTF-8" ) );
        }
        catch ( Throwable t )
        {
            t.printStackTrace();
        }
    }
}
These were last tested successfully using Java 1.8 on 05/30/2017 and reverified on 08/08/2017.


RSA Encryption using CryptoRSA Class in TabaPayAPIHelpers.jar:

import com.tabapay.api.helpers.security.rsa.CryptoRSA;
import com.tabapay.samples.CallTabaPay;
import com.tabapay.samples.CallTabaPay.KeyData;

public class APIHelpers
{
    public static void main( String[] asArgs )
    {
        String sCardData = "9999999999999999|202012|";                          // Card Number | Expiration Date | CVV2

        try
        {
            int iExpirationInDays = 365;

            KeyData dataKey = CallTabaPay.CreateKey( iExpirationInDays );       // You Provide

            String sEncodedEncryptedData = CryptoRSA.encryptUsingPublicKey(     // TabaPayAPIHelpers.jar
                dataKey.m_sPublicKey,                                           //   Public Key from Create Key
                sCardData                                                       //   Card Data
            );

            CallTabaPay.QueryCard( dataKey.m_sKeyID, sEncodedEncryptedData );   // You provide
        }
        catch ( Throwable t )
        {
            t.printStackTrace();
        }
    }
}

JavaScript

A GET Request (Retrieve Client):
var https = require( "https" );

var options =
{
    host:    "<FQDN>",
    port:    443,
    path:    "/v1/clients/<ClientID>",
    method:  "GET",
    headers:
    {
        "Authorization": " Bearer <TokenValue>"
    }
};

var req = https.request( options, function( res )
{
    console.log( "statusCode: ", res.statusCode );

    res.on( "data", function( d )
    {
        process.stdout.write( d );
    });
}).on( "error", function( e )
{
    console.error( e );
});

req.end();
A POST Request (Query Card):
var https = require( "https" );

var options =
{
    host:    "<FQDN>",
    port:    443,
    path:    "/v1/clients/<ClientID>/cards",
    method:  "POST",
    headers:
    {
        "Authorization": " Bearer <TokenValue>",
        "Content-type": "application/json",
        "Content-length": "45"
    }
};

var req = https.request( options, function( res )
{
    console.log( "statusCode: ", res.statusCode );

    res.on( "data", function( d )
    {
        process.stdout.write( d );
    });
}).on( "error", function( e )
{
    console.error( e );
});

req.write( '{"card":{"accountNumber":"9999999999999999"}}' );
req.end();
These were last tested successfully using NodeJS 6.10.3 on 05/31/2017.

Go

A GET Request (Retrieve Client):
package main

import (
  "fmt"
  "io/ioutil"
  "net/http"
)

func main() {
    client := &http.Client{}
    req, err := http.NewRequest(
        "GET",
        "https://<FQDN>/v1/clients/<ClientID>",
        nil)
    if err != nil {
        panic(err)
    }
    req.Header.Add("Authorization", "Bearer <TokenValue>")
    resp, err := client.Do(req)
    if err != nil {
        panic(err)
    }
    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()
    fmt.Println(string(body))
}
A POST Request (Query Card):
package main

import (
  "fmt"
  "io/ioutil"
  "net/http"
  "strings"
)

func main() {
    client := &http.Client{}
    req, err := http.NewRequest(
        "POST",
        "https://<FQDN>/v1/clients/<ClientID>/cards",
        strings.NewReader("{\"card\":{\"accountNumber\":\"9999999999999999\"}}"))
    if err != nil {
        panic(err)
    }
    req.Header.Add("Authorization", "Bearer <TokenValue>")
    req.Header.Add("Content-type", "application/json")
    resp, err := client.Do(req)
    if err != nil {
        panic(err)
    }
    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()
    fmt.Println(string(body))
}
These were last tested successfully using go 1.9.2 on 11/30/2017.

Python

A GET Request (Retrieve Client):
import httplib

conn = httplib.HTTPSConnection( '<FQDN>' )
conn.putrequest( 'GET', '/v1/clients/<ClientID>' )
conn.putheader( 'Authorization', 'Bearer <TokenValue>' )
conn.endheaders()
response = conn.getresponse()
print response.read()
A POST Request (Query Card):
import httplib

conn = httplib.HTTPSConnection( '<FQDN>' )
conn.putrequest( 'POST', '/v1/clients/<ClientID>/cards' )
conn.putheader( 'Authorization', 'Bearer <TokenValue>' )
conn.putheader( 'Content-type', 'application/json' )
conn.putheader( 'Content-length', '45' )
conn.endheaders()
conn.send( '{"card":{"accountNumber":"9999999999999999"}}' )
response = conn.getresponse()
print response.read()
These were tested successfully using Python 2.7.10 on 05/30/2017.

Ruby

A GET Request (Retrieve Client):
require 'net/https'

uri = URI.parse( 'https://<FQDN>/v1/clients/<ClientID>' )
http = Net::HTTP.new( uri.host, uri.port )
http.use_ssl = true
request = Net::HTTP::Get.new( uri.request_uri )
request.add_field( "Authorization", "Bearer <TokenValue>")
response = http.request( request )

puts response.body
A POST Request (Query Card):
require 'net/https'
require 'json'

uri = URI.parse( 'https://<FQDN>/v1/clients/<ClientID>/cards' )
http = Net::HTTP.new( uri.host, uri.port )
http.use_ssl = true
request = Net::HTTP::Post.new( uri.request_uri, 'Content-Type' => 'application/json' )
request.add_field( "Authorization", "Bearer <TokenValue>")
request.body = {card:{accountNumber: '9999999999999999'}}.to_json
response = http.request( request )
puts response.body
These were tested successfully using Ruby 2.0.0p648 on 05/31/2017.

PCI Helpers

These sections are still a Work in progress...

These TabaPay features are to help our Clients with PCI, but it does not remove the PCI requirements for the Client.

PCI Helper - SSO

This section is still a Work in progress... Also see the PCI Helper - SSO FAQ. The samples and examples decribed here are now running in the Sandbox Environment.


How SSO works

See some working samples on how this might work.

The samples are only samples. We can provide a generic (plain/simple) SSO HTML Web Page; but, we think that allowing you to customize it to match your WebSite (colors, layout, errors handling, etc...) would be a much better solution, however, that means you will need to provide the HTML, CSS, and JavaScript.

The Imbedded Form Sample (currently) only shows one input method:

  1. Keyboard Entry

while the Modal Dialog Box Overlay shows 3 possible input methods:

  1. Keyboard Entry
  2. KeyPad Entry
  3. Card Swipe Entry
For the KeyPad Entry and Card Swipe Entry, please contact sales@TabaPay.com. For the Keyboard Entry, this sample allows the Customer on the Customer's browser to enter the following 3 pieces of Cardholder Data:
  1. Card Account Number
  2. Expiration Date
  3. Security Code - CVV2 (optional)
A Card Token is generated that can be used in the following API Calls:In order to use this Solution, it does require the use of a modern browser, so be sure your users are using a modern browser. We have last tested this Solution successfully using:Please ensure this browser usage by your users before deciding to use this Solution.
View Addtional Details
Hide Addtional Details
The following is meant to be only a simple sample on how this may work and is not meant for production use or imply that it is production ready.

Client Web Page

Add a Listener for the Return from TabaPay SSO

window.addEventListener( "message", pfReceivedMessage, false );

Function to handle Return from TabaPay SSO

var pfReceivedMessage = function( event )
{
  if ( event.data != "Close" )
  {
    if ( event.data.slice( 0, 7 ) == "Error: " )
    {
      // Error
    }
    else
    {
      var asData = event.data.split( "|" );
      if ( asData.length == 3 )
      {
        // asData[ 0 ] contains the Last 4
        // asData[ 1 ] contains the Expiration Date in YYYYMM Format
        // asData[ 2 ] contains the Card Token
      }
      else
      {
        // Data Error
      }
    }
  }
  else
  {
    // Close or Cancel
  }
}

JavaScript Code to load TabaPay SSO when needed

document.getElementById( "sso" ).src = "https://<FQDN>/<PageName>.html?<Unique>";

HTML to include TabaPay SSO

<div><iframe id="sso"></iframe></div>


Client BackEnd Server

Can use the Card Token in the following TabaPay API Calls:


Customization of SSO

If you are providing the HTML, CSS, and JavaScript to us:

  • HTML must be minifiable
  • CSS must be minifiable
  • JavaScript must be compilable (with no warnings or errors) with the Google Closure Compiler
  • No External JavaScript Libraries, No External JavaScript Frameworks
  • The Results will be a single HTML file
  • Any external images will be hosted from your servers
  • We will control and own the HTML, CSS, and JavaScript (please check with your legal department)

Clarifications (feedback from Early Users):

  • You will provide us with the HTML, CSS, JavaScript:
    • Formatted as for Development (leave spaces, indentation, whitespace, blank lines, etc...)
    • Leave Comments in as for Development
    • We have to understand the code you send to us, so keep it (very) simple...
  • We (TabaPay) will minify the HTML, CSS, JavaScript:
    • If there are issues, we will try to fix...
    • If we can't fix (easily), we may ask you to revise it...
  • Due to PCI, we cannot include external libraries or frameworks...
  • And again due to PCI, we have to own the code (HTML, CSS, JavaScript), so please check with your Legal Department...

Also see the Step-by-Step Example below of this process including our expectations of the expected file (or 3 files: HTML, CSS, and JavaScript) that we will be receiving from you.

Common sense (real world) facts about this customization:

  • Take advantage of this (almost) complete control of this customization and the ability for you to customize it, but:
    • Be Simple
    • Be Reasonable
    • Understand some of the Restrictions, if any
    • If we say we cannot do something, show us how to do it simply and we will take another look
    • If we say no, please accept that it can't be done or we can't do it
  • Due to time constraints, we can only do minor tweaks after the initial delivery of the HTML, CSS, and JavaScript.


Other Notes:
  • Expiration of the Card Token?
View Step-by-Step Example
Hide Step-by-Step Example
The following is only a very simple example and is not meant for production use or imply that it is production ready. Also see the PCI Helper - SSO FAQ.

(1) My Custom SSO Web Page

It is:
  • (Very) Simple
  • Reasonable (in complexity and size)
  • Easy to understand
  • No External Libraries or Frameworks

and it is nicely formatted for a developer to read:

  • Code is Indented
  • Source is Commented

<!DOCTYPE html>
<html>
<head>
<style>
/*
 * Table Header
 * 1st Column
 */
th
{
  text-align: right;
  padding-right: 10px;
}
/*
 * Form Button(s) Row
 */
.b
{
  padding-top: 10px;
  text-align: center;
}
</style>
<script>
function fCheckCardNumber( psCardNumber )
{
  //
  // Code to Check Card Number
  //
  if ( psCardNumber.length < 13 || psCardNumber.length > 19 )
  {
    return false;
  }
  //
  // More Checks?
  //   Card Range?
  //   All Digits?
  //   Luhn Checksum?
  //

  //
  // If you want use TabaPay's Common Utils,
  //   (1) remove the above check
  //   (2) and add the following if statement
  //
  // if ( ! TabaPayCommonUtils.fCheckCardNumber( psCardNumber ) )
  // {
  //    return false;
  // }
  //

  return true;
}
function fCheckExpirationDate( psExpirationDate )
{
  //
  // Code to Check Expiration Date
  //
  if ( psExpirationDate.length != 5 || psExpirationDate.slice( 2, 3 ) != "/" )
  {
    return false;
  }
  //
  // More Checks?
  //   Check Month and Year
  //

  //
  // If you want use TabaPay's Common Utils,
  //   (1) remove the above check
  //   (2) and add the following if statement
  //
  // if ( ! TabaPayCommonUtils.fCheckCardExpirationDate( psExpirationDate ) )
  // {
  //    return false;
  // }

  return true;
}
function fCheckSecurityCode( psSecurityCode )
{
  //
  // Code to Check Security Code
  //
  if ( psSecurityCode.length < 3 || psSecurityCode.length > 4 )
  {
    return false;
  }
  //
  // More Checks?
  //   Check Number
  //

  //
  // If you want use TabaPay's Common Utils,
  //   (1) remove the above check
  //   (2) and add the following if statement
  //
  // // Currently this only does minimal checking
  // // If you want a more thourogh Security Code check,
  // //   feel free to replace this with your own function
  //
  // if ( ! TabaPayCommonUtils.fCheckSecurityCode( psSecurityCode ) )
  // {
  //    return false;
  // }
  //

  return true;
}
function fClear()
{
  document.getElementById("c").value="";
  document.getElementById("e").value="";
  document.getElementById("s").value="";
}
function fSubmit()
{
  var sCardNumber     = document.getElementById("c").value.trim();
  var sExpirationDate = document.getElementById("e").value.trim();
  var sSecurityCode   = document.getElementById("s").value.trim();
  //
  // Check Card Number
  //
  if ( sCardNumber.length == 0 )
  {
    alert( "Missing Card Number" );
    return;
  }
  if ( ! fCheckCardNumber( sCardNumber ) )
  {
    alert( "Bad Card Number" );
    return;
  }
  //
  // Check Expiration Date
  //
  if ( sExpirationDate.length == 0 )
  {
    alert( "Missing Expiration Date" );
    return;
  }
  if ( ! fCheckExpirationDate( sExpirationDate ) )
  {
    alert( "Bad Expiration Date" );
    return;
  }
  //
  // Check Security Code (optional)
  //
  if ( sSecurityCode.length > 0 )
  {
    if ( ! fCheckSecurityCode( sSecurityCode ) )
    {
      alert( "Bad Security Code" );
      return;
    }
  }
  //
  // All Checks ok
  //

  // TabaPay will add code here
  //   temporarily use an alert to display the values
  alert( sCardNumber + "," + sExpirationDate + "," + sSecurityCode );
}
function fCancel()
{
  // TabaPay will add code here
  //   temporarily use an alert to indicate Cancel
  alert( "Cancelled" );
}
</script>
</head>
<body>
<form>
  <table>
    <tr>
      <th>Card Number</th>
      <td><input id="c" type="password" placeholder="13-19 digits"></td>
    </tr>
    <tr>
      <th>Expiration Date</th>
      <td><input id="e" placeholder="MM/YY Format"></td>
    </tr>
    <tr>
      <th>Security Code</th>
      <td><input id="s" placeholder="3-4 digits"></td>
    </tr>
    <tr>
      <td class="b" colspan="2">
        <input type="button" value="Clear" onclick="fClear()"/>
        &nbsp;
        <input type="button" value="Use Card Data" onclick="fSubmit()"/>
      </td>
    </tr>
    <tr>
      <td class="b" colspan="2"><input type="button" value="Cancel" onclick="fCancel()"/></td>
    </tr>
  </table>
</form>
</body>
</html>

The use of Alerts in the above example was only used to simplify the example and not clutter the JavaScript Code in the example. We recommend that you change the usage of Alerts to something more appropriate that matches your WebSite. Again, the above example is not meant for production use or imply that it is production ready.

(2) Please QA the My Custom SSO Web Page before (3)

(2a) TabaPay QA will only do a cursory check

(2b) There will be a very limited number of back and forth

(2c) It will be your responsibility for your Custom SSO Web Page

(3) Submit My Custom SSO Web Page to TabaPay

(4) Wait for TabaPay to complete the modifications to the Custom SSO Web Page

(5) TabaPay will make your Custom SSO Web Page available

(6) Test using TabaPay's Test your SSO Web Page

Goto the See some working samples link above

Use the filename: MyCustomSSOExample
and be sure to set the desired width and height
also this Example has an image that is hosted externally

(7) Include in your Web Page

Goto the View Additional Details link above on how to do this...

PCI Helper - RSA

This section is still a Work in progress... Also see the PCI Helper - RSA FAQ.


How to use RSA

Due to the number of computer languages available today, we will be using OpenSSL, the well-known and widely used cryptography library, to show how to use RSA to create the value for the data parameter in the following TabaPay API Calls:

The data contains:

Here are the steps in creating the data parameter for the TabaPay API Calls:

  1. Create a Key

    • Use the TabaPay API Call: Create Key
      • The returned format of the Public Key depends upon what language you are using and what libraries (in the language) you are using, however:
        • RAW Format (consisting of exponent and modulus) can be easily converted to ASN.1 Format
        • ASN.1 Format can be easily converted to RAW Format (consisting of exponent and modulus)
    • OpenSSL, for this example, will be using ASN.1 Format
  2. Save the keyID

  3. Convert the key (in ASN.1 Format) from Base64 URL-Safe to regular Base64 Encoding

  4. Create a file containing the Public Key, we will use PEM Format, but we could have also use DER Format instead:

    • Use an editor, like vi, and create a public.key
    • First Line contains: -----BEGIN PUBLIC KEY-----
    • Next Line contains the Base64 (not URL-Safe) Encoded Key: MIIBI...AQAB
    • Last Line contains: -----END PUBLIC KEY-----
  5. Create a file containing the Card Data, separated by "|" (pipe symbol):

    • Card Account Number
    • Card Expiration Date
    • Card Security Code

    Example is: 9400100999999993|209912|123

  6. Use OpenSSL to encrypt the Card Data, RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding:

    openssl pkeyutl -in card.data -out encrypted.data -inkey public.key -keyform PEM -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

  7. Convert the Encrypted Data in the file to Base64 URL-Safe Encoding

  8. You can now use:
    • keyID from (2)
    • data, Base64 URL-Safe Encoding, from (7)

    in the following TabaPay API Calls:

Make sure the version of OpenSSL that you are using is at least 1.0.2k.

If you are having problems, hopefully this example can help you in the language you are using... Some languages, such as:

use the OpenSSL library.

General FAQ

Need help?
Contact us at support@TabaPay.com and someone from our support team will get back to you as quickly as possible.

Why is there no SDK?
The API is just a simple RESTful Web Service that uses standard HTTPS to:
  • connect
  • send request
  • receive response
  • disconnect
where the Request Data and the Response Data are formatted using standard JSON.

Therefore, you can use almost any programming language; however, there are so many programming languages available today, we may not be an expert in (or even have used) the language you are trying to use. We assume that you are an expert in the language you have selected to use.


Having connection issues?
Try using one of the command line utilities first. Usually it can help diagnose networking issues such as firewall configurations, IP whitelisting, etc... Also it helps in eliminating any language specific issues or uniquenesses, and since there are so many programming languages available today, we may not be an expert in (or even have used) the language you are trying to use.

Curious? What do we use?
We currently use Java for all Production Applications (and Tools) but migrating to Go.

We use Go for all our Testing (QA) Tools.

For Reports, the Accounting Department is currently using Python.


ISO
Unfortunately this acronym stands for:Hopefully the context where it is being used will make the definition of the acronym obvious.

Data FAQ

Is there a JSON Schema?
We allow additional JSON pairs (NVPs) to be added in a request (though we don't recommend this) and we may return back additional JSON pairs (NVPs) in a response (optional JSON pairs (NVPs) that you may not be using but another client may be using). We also allow JSON pairs (NVPs) to be sent in a request in any order and we may return back JSON pairs (NVPs) in a response in any order.

Be sure you can handle "freeform" JSON responses.


What is the type of a Data Value? Is it a String, an Integer, an Amount, a Boolean, or what?
We treat all Data Values initially as Strings. We then apply a Value Restriction to the String. So for example:
  • an Integer, we look for a string with only digits
  • an Amount, for currency number 840, USD, we look for a string with only digits and a single decimal point with two decimal digits but no commas nor currency sign
  • a Boolean, we look for a string with the value of either true or false
Therefore, we should be able to parse almost all JSON Requests without having to just return a generic error (parse error).

How to specify an Amount Value?
In order to handle international currencies, an Amount is a String. International currencies:
  • use either a point or a comma as their decimal mark and
  • might have a maximum of 0, 1, 2, 3, or 4 decimal places.
So for example, for those using currency number 840, USD, an Amount must have a decimal point (.) with 2 decimal digits and no commas (,) nor currency sign ($). Examples:
1000.20
Valid
1.20
Valid
0.20
Valid
.20
Valid

.4
Invalid, 2 decimal digits are required
1.4
Invalid, 2 decimal digits are required
1,000.21
Invalid, comma not needed
$10.21
Invalid, dollar sign not needed

Is there a size limitation to String Values?
Unless specified in the Value column, String Values can be of any reasonable size. However there is a limitation to the total number of bytes in your request. And remember, some Unicode characters, especially international characters, are more than one byte.

Are null Values valid?
JSON Values that are null are accepted, according to the JSON Specifications, but it is preferred that you just leave out the pair (NVP):

Works:

{
  "NameA": "Test",
  "NameB": null,
  "NameC": "Test"
}
Preferred:
{
  "NameA": "Test",
  "NameC": "Test"
}

What valid characters can be used for fields such as Reference IDs, Memo, Names (first and last), etc...?
The API can accept any UTF-8 character; however, to be safe for other processes that may be using this data, we recommend the use of only the Base64 URL-Safe Character Set. We will also explicitly restrict the use of these characters:
●     ,
Comma (used in csv files)
●     "
Double Quotes (used in csv files)
●     ~
Tilde
●     ^
Caret

We do recommend the use of only the Base64 URL-Safe Character Set.
Base64 Encoding
Binary Data and some Strings, that are beyond Alphanumeric, should be encoded in Base64 with no padding and using the URL-Safe Character Set:
●   A-Z
Uppercase alphabetic characters
●   a-z
Lowercase alphabetic characters
●   0-9
Digits
●   -
Minus Sign
●   _
Underscore

Format of the JSON Request and Response Data?
We recommend deleting all whitespaces from the JSON Request. We will return a JSON Response in a packed format where all whitespaces are removed.

Nice for human:

{
  "NameA": "Test",
  "NameB": 1
}
But not so much for our Application and also it clutters our logs, so preferably:
{"NameA":"Test","NameB":1}

Errors FAQ

HTTP Status Codes?
See Status Codes for a list of HTTP Status Codes that might be returned.

A 400 Series Error is usually something that you can fix by changing something in your request. A 500 Series Error is usually something that you need to contact us (support@TabaPay.com) to look at. If we determine that a 500 Series Error can be fixed by you, we will try to change this error situation to a 400 Series Error in a future code release.

PCI does require us to be cryptic in the Error Messages that we return back; but for certain 400 Series Errors, we may return back something in the Error Message (EM) field of the JSON Response that indicates what might be wrong.


You should never get a HTTP Status Code of 400 on Production
If you are getting a HTTP Status Code of 400 on the Production Environment, that usually means you are not handling these errors correctly on your end. We strongly recommend completing the Production Certification Test in its entirety, specifically the portion where we recommend integrating your application with our API calls.

Also, please see the Coding FAQ.


Use of HTTP Status Code 207?
You might get HTTP Status Code 207, when there is an Error while processing your Transaction due to some Upstream Process.

Everything on our end processed successfully:

  • Your request passed all our checks
  • Configuration is available to process your request
  • A record is created for your request (Transaction)
But an Error occurred in some Upstream Processing.


Customer Facing Error Messages?
We are a Server-to-Server Web Services (API) and we are not Customer Facing, so:
  • We do not provide User Friendly Error Messages.
  • We do not provide Error Details (because of PCI).
  • We do not recommend showing your Customers our Error Messages or Error Codes.
Your Application should catch as many errors as possible before sending the Request to us. You should not use us (API Request) to check the Customer's Data Errors. Therefore, if your Application is catching the obvious errors and you are not exposing Error Details from your Application or from our API, then there shouldn't be a lot of unique Error Messages back to the Customer.

Also, please see the Coding FAQ.

Sandbox Environment FAQ

Are there Test Card Numbers to use in the Sandbox Environment?
PCI requires us and you to use Test Card Numbers when testing. You should never use a real Card Number in the Sandbox Environment. See Samples - Test Cards where we provide various Test Card Numbers...

How to generate an error in the Sandbox Environment?
For Create Transaction, the Amount is used to trigger various errors while processing the Create Transaction request in the Sandbox Environment (Accel uses a 3-digit Network Response Code):
AmountResponseActual ResponseError Description
Status CodeNetwork Response CodeResource StatusNetwork Response CodeResource Status
0.01200ZZ (or 999)ERRORZZ (or 999)ERRORTransaction Error
0.02207UNKNOWNUNKNOWNTransaction Processing Failed
0.0320000 (or 000)COMPLETED00 (or 000)COMPLETEDTransaction Successful, but upstream processing was delayed for 30 seconds
0.04207UNKNOWN00 (or 000)COMPLETEDTransaction Successful, but upstream processing was delayed for 40 seconds
For Delete Transaction, the Create Transaction Amount is used to trigger various errors while processing the Delete Transaction request in the Sandbox Environment (Accel uses a 3-digit Network Response Code):
AmountCreate Transaction ResponseDelete Transaction ResponseError Description
Status CodeNetwork Response CodeResource StatusStatus CodeReversal Network Response CodeResource Status
0.0720000 (or 000)COMPLETED200ZZ (or 999)UNKNOWNReversal Request failed
0.0820000 (or 000)COMPLETED20021UNKNOWNReversal Request failed, the Reversal was too late.
Not available when routed to any Regional Network: Currently only STAR and Accel.
For AVS, Query Card, the Zip Code, Address, and Security Code are used to trigger various conditions while processing an AVS request in the Sandbox Environment:
RequestResponseComments
Zip CodeAddressSecurity CodeResponse TextNetwork Response CodeCode
AVS Results
Code
Security Code Results
Any*Any*NoneNOT DECLINED85YZip Code and Address were matched
Any*NoneNoneNOT DECLINED85ZZip Code was matched
Any*Any or NoneAny*DEPENDSDEPENDSDEPENDSMDepends upon if Zip Code and Address matches or not, but Security Code was matched
Any*Any or None999DECLINE05DEPENDSNDepends upon if Zip Code and Address matches or not, but Security Code was not matched
99990Any or NoneAny or NoneDECLINE05UInformation not available
99991Any or NoneAny or NoneDECLINE05RAVS unavailable, retry
99992Any*NoneDECLINE05AZip Code was not matched, but Address was matched
99992None or 999 BadNoneDECLINE05NZip Code and Address were not matched
99993Any or NoneAny or NoneDEPENDSDEPENDSDEPENDSDEPENDSAVS Request delayed for 30 seconds
99994Any or NoneAny or NoneUNKNOWNUNKNOWNUNKNOWNUNKNOWNAVS Request timed out
  • Any* - Any Zip Code that is not explicitly used to trigger a condition (99990-99994)
  • Any* - Any Address that is not explicitly used to trigger a condition (999...) - Address only checks the Street Number
  • Any* - Any Security Code that is not explicitly used to trigger a condition (999)

Is the Sandbox Environment PCI Compliant?
No.

You should be using Test Card Numbers when testing in the Sandbox Environment. You should never use a real Card Number in the Sandbox Environment. See Samples - Test Cards where we provide various Test Card Numbers...


What is the Sandbox Environment SLA?
There should be no expectations on the Sandbox Environment.

Production Environment FAQ

What is the maintenance window for the Production Environment?
There should be no outage during normal maintenance. We have activity 24x7x365 and the low points seem to be around mid-week.

How quickly can we do a change (configuration) on the Production Environment?
We are PCI Level 1 and SOC2 Type 2 Compliant. So, what does that mean? We are procedure and process controlled.

Some companies require us to be PCI Level 1 and SOC2 Type 2 Compliant. And then some of those same companies still expect us to do things for them immediately (and on Production). Here is a real life example that recently occurred:

  • A Client demanded to change their limit on a weekend night immediately
  • After changing their Limit, the same Client later demanded to change their limit again and again on a weekend night immediately
  • After changing their Limit again, we see they never reached the Limits they demanded, in fact, they never even reached their original Limit

Not everything is or can be an emergency...

Schedule for Production changes:

  1. Have your request by Friday morning
  2. Changes will be implemented by end of day Monday (or Tuesday, if Monday is a Holiday)
So please plan ahead... This includes boarding new clients, changing limits, whitelisting IPs, etc...

Why? (in regards to the above question)
Here is a quote from one of our Clients about their PCI Environment (not ours but theirs):

Our IT department frowns upon rapid-fire changes to the PCI environment.

So I hope everyone understands the restrictions and constraints of being in a PCI Environment.

Funny, we previously have used the same word: "frown" when a Client asks us to do something outside of our normal policies and procedures.


Ready to go into Production?
In order to go into Production, we need the following things to be completed:
  1. PCI
  2. Certification Test on Sandbox
    • Just run your normal QA Tests against your Application connected to our backend (API)
    • And run various Error Conditions/Scenarios, see the Certification Test document from TabaPay Support

  3. TabaPay Boarding Sheet
    • Your Support Contact Information
    • Your Financial (Accounting) Information

Certification Test?
  • We want you to run your full QA tests on your Application that is connected to our backend (API).
  • We want to see the different types of requests that you may be sending us.
  • We can provide feedback on what we are seeing in your requests.
  • We want to catch issues during this testing versus on Production.
  • We can catch problems, here are some of the real issues we have seen before we revised our Certification Test:
    • Security Code was misspelled, so they (CVV2s) showed up in the clear in our logs which exposes us (PCI) and your customer.
    • Amounts were incorrectly formatted, so some requests were failing (.4) and others were not (0.40).
That is why we want you to run your normal QA Tests on your Application that is connected to our backend (API) in the Sandbox Environment.

You should never get a HTTP Status Code of 400 on Production
If you are getting a HTTP Status Code of 400 on the Production Environment, that usually means you are not handling these errors correctly on your end. We strongly recommend completing the Production Certification Test in its entirety, specifically the portion where we recommend integrating your application with our API calls.

Also, please see the Coding FAQ.


Locking your Client?
If the Bank and/or TabaPay detect something funny happening:
  • in your API Requests, or
  • with your Limits, or
  • with your Settlement Account
your Client may be LOCKed. We will try to contact you first, but the Bank may not.

If your Client is LOCKed, please contact TabaPay support.


Disabling your IP Address?
If TabaPay detects something funny coming from one of your IP Addresses that you requested to be whitelisted, we may have to remove that IP Address. We have WAFs and IDS/IPSs protecting all Internet Facing Systems. We shouldn't be receiving any kind of probes from your systems, so all probes will be detected as a hack attempt and will be shutdown.

If we do remove an IP Address, you have to resubmit a request to reenable the IP Address, so please contact TabaPay support.


A reason for disabling?
“Insanity is doing the same thing, over and over again, but expecting different results.”

PCI / SOC2 FAQ

What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. Also see PCI Security Standards Council.

What is SOC2 Type 2?
SOC stands for System and Organization Controls.

Are we PCI Compliant? SOC2 Type 2 Compliant?
TabaPay is a PCI Level 1 Service Provider.

TabaPay is SOC 2 Type 2 Certified.


Is the Sandbox Environment PCI Compliant?
No.

You should be using Test Card Numbers when testing in the Sandbox Environment. You should never use a real Card Number in the Sandbox Environment. See Samples - Test Cards where we provide various Test Card Numbers...


SSL/TLS Configuration?
We use Qualys SSL Server Test to check our SSL/TLS configuration on all internet facing systems:

Our configured Protocols and Cipher Suites:


WAF, Web Application Firewall, protection?
We have a WAF, Web Applicaiton Firewall, in front of all internet facing systems. So if our WAF detects something funny, such as something in the OWASP Top 10, your request will get rejected with SC=406.

Coding FAQ

As mentioned elsewhere multiple times:

We may not be an expert in (or even have used) the language you are trying to use. We assume that you are an expert in the language you have selected to use.

With that said, here are some questions that we have encountered that might be helpful to you:


My Program doesn't work?
Please provide the full Request and Response. If there was an error, the full error message (exception) and if available any stack trace. The more details, the better we can help you, and the faster we can help you.

If you contact TabaPay support, please send your Request and Response:

Request should include:

  • Date and Time of the Request and Time Zone (we have many Clients in many different parts of the world)
  • URL
  • Request Method (Get, Post, Put, or Delete)
  • Request Data (JSON), if any

Response should include:

  • HTTP Status Code
  • Response Data, if any
    • (usually) JSON
    • (but can be) HTML
  • Exception and Stack Trace, if any


SC=406
We have a WAF, Web Applicaiton Firewall, in front of all internet facing systems. So if our WAF detects something funny, such as something in the OWASP Top 10, your request will get rejected with SC=406.

SC=400
If you are getting a HTTP Status Code of 400 on the Production Environment, that usually means you are not handling these errors correctly on your end. We strongly recommend completing the Production Certification Test in its entirety, specifically the portion where we recommend integrating your application with our API calls.

Why you should never see SC=400 in Production?
All errors with a HTTP Status Code of 400 should have been caught before the API request is sent to us. We shouldn't have to return back a HTTP Status Code of 400. A HTTP Status Code of 400 means that something in your request is bad: Bad Request. You should not use us (API Request) to check for Customer entered data errors.

For example:

  • Card Account Number
  • Card Expiration Date
  • Amount
All of the above examples should have been caught on the client side (Customer's Device). It shouldn't need to travel from:
  1. the Customer's Device
  2. to your Servers
  3. to our Servers
  4. negative response (400) back to your Servers
  5. and then finally some error message back to the Customer's Device
just to inform the Customer that the Customer entered a bad:
  • Card Account Number
  • or Card Expiration Date
  • or Amount
We believe the proper way of handling errors is:
  • Immediate
  • Interactive
  • Responsive
and that means if the Customer is on a Web Browser, then there should be:
  • JavaScript code
to catch obvious errors; and if the Customer is on a Mobile Device, then there should be:
  • Swift (or Objective-C) code on iOS
  • or Java code on Android
to catch obvious errors.

Even if an error gets past the code on the Customer's Device and goes up to your Servers, your BackEnd Code on your Servers should also catch these obvious errors. That is two layers of code that should have caught the error, so that is why we say:

We should never have to return back a SC=400 in Production...

That is why you should test on the Sandbox Environment and pass the Certification Test completely.

PCI Helper - SSO FAQ

Is it possible to customize the SSO?
We have temporarily suspended the fully Customization of the SSO. We will provide a generic SSO that you can modify only a few things like:
  • Font
  • Color

What is the process of submitting a customized SSO?
See PCI Helper - SSO in Samples... But to summarize:
  1. You need to create a fully working HTML Page that meets our requirements (see PCI Helper - SSO in Samples...)
    • Our QA will only do a cursory check and will reject any HTML Page that doesn't do the basic error checking:
      • Check Card Number
      • Check Expiration Date
      • Check Security Code
    • Going to your Servers or even going to our Servers to do basic error checking, in our belief, is not the correct way to handle this, see the Coding FAQ.
    • We prefer not to have to do a lot of back and forth, so please QA your HTML Page before submitting to us
      • You can contact us if you want our QA to help QA your HTML
    • Remember that this is your HTML Page that you are presenting to your Customers.
  2. Once our QA ok your HTML, your HTML Page is sent to our Build/Operations Department:
    • Add the TabaPay specific code
    • Move HTML Page to Sandbox Environment
    • Again, our QA will do a cursory check
  3. At this point you should QA (Test) your HTML Page and you can call the TabaPay API.

How long this takes will depend upon when we receive a working HTML Page. So how long is up to you. Deviating from our requirements will only cause delays.


Customization timeline and availability?
The reason why we will suspend the fully Customization of the SSO is Client Expectations... and our Expectations for the submitted SSO Web Page. Unfortunately there is a mismatch, so trying to clarify this mismatch, here are some points to consider beforehand to avoid the frustration by all sides with the process:
  • Normally we only do a build of a Client's SSO Web Page on the weekends and have it available by End-of-Day Monday, Tuesday if Monday is a holiday
  • We expect the Client to QA their own SSO Web Page
  • We will reject a Client's SSO Web Page if we find a problem
  • Like previously mention elsewhere, we do not want a lot of back and forth with the SSO Web Page
  • We hope this would be the sequence of events:
    1. The Client reads the Developers WebSite to understand the SSO Web Page
    2. The Client can ask support for any clarification
    3. The Client develops their SSO Web Page
    4. The Client tests (QA) their SSO Web Page
    5. When the Client completes their testing, the Client submits their SSO Web Page
    6. TabaPay only does a cursory QA of the Client's SSO Web Page
    7. If TabaPay QA finds a problem with the Client's SSO Web Page, it will be rejected
    8. TabaPay builds the SSO Web Page
    9. TabaPay makes the SSO Web Page available by End-of-Day Monday (Tuesday if Monday is a holiday)
    10. The Clients can now test the completed SSO Web Page
    We only expect a sequential flow and we do not expect a loop in this flow. If your SSO Web Page was rejected, it has to restart the process over again.

Please Keep it SIMPLE, the more complex your SSO Web Page is, the harder it is for us to Add our Changes and Test our Changes. And having an abnormal SSO Web Page that is hard to Test will eventually be unTested and we will have to leave it to you to test the changes. So in the future, if you do have a difficult SSO Web Page, you will need to tell us how to test it or even give us tools to test it.

Just think, how many different SSO Web Pages we get, and each so very different, so far, none are similar. Just think how hard it is for us to try to change that code and then try to test it... Just think... Be in our shoes... So this is one reason why we will suspend the fully Customization of the SSO.


Compiling with the Google Closure Compiler?
We use the following options:
          --compilation_level ADVANCED_OPTIMIZATIONS
We use Advanced Optimizations for reasons other than for size. Size is just a nice side benefit.

Just like the HTML and CSS, we actually do not minify the HTML and CSS, but we pack them.

PCI Helper - RSA FAQ

RSA?
RSA is the most widely used asymmetric algorithm.

Using Encrypted Data in the TabaPay API Calls don't seem to be working?
Make sure you are using RSA with the Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding and the language you are using supports the correct (common usage) implementation of that transform.

Receiving a SC=500?
If you pass in an Encrypted Data that was encrypted incorrectly, you will get a SC=500.

What languages (and libraries, if any) work (or tested)?
We have first hand knowledge that the following languages (and libraries, if any) works:
  • Java with a slight tweak using the built in RSA encryption
  • Go using the built in RSA encryption
  • JavaScript on a browser using the Web Cryptography API which is available in (all) modern browsers
and we have heard others using the following languages (and libraries, if any):
  • .NET
and other applications (or libraries):

Is there an example, a working example?
See PCI Helper - RSA in Samples...

Clients WebSite FAQ

Limited availability coming soon...
Passphrase
A Passphrase must be at least 8 characters long and contain:
  • At least one lower case letter
  • At least one upper case letter
  • At least one number
We stored all Passphrases as Salted Hash values, so we can never retrieve your Passphrase.

Refreshing Transaction Data
Refreshing the Transactions Web Page at intervals below 60 seconds does not do anything and just results in the same data being returned. Transaction Data is updated on the backends every 60 seconds.

Repeating trying to refresh Transaction Data may cause our WAF and/or IDS/IPS to blacklist you and eventually your access will be revoked.

Future FAQ

What are our Future Feature Plans?
Clients WebSite

SSO
  • Web Page to capture Card Number, Expiration Date, and Security Code
  • Use a secure Keypad to enter the Card Number and Expiration Date
  • Use a secure Card Swipe to capture the Card Number and Expiration Date
See PCI Helpers - SSO and PCI Helpers - SSO FAQ...

Authorization Tokens
  • Authorization Tokens can Expire
  • You will be able to change your Authorization Token
Copyright © 2017-2018   TabaPay, Inc.   All Rights Reserved...