Last Updated: 30 April 2024 | Change Log

Take a payment

To take a payment, you must first create an authorization request. Your response contains links to your next available actions.


Authorize a payment

If you want to reserve funds in your customer's account, send us an authorization request.

POST your authorization request to the payments:authorizeaction link received in your payments root resource responseto authorize a payment.

Authorization example request

POST https://try.access.worldpay.com/payments/authorizations

The requests below contain all the mandatory fields needed for a successful authorization request.

Note

Click the tabs below to see all the mandatory fields for all supported paymentInstrument parameters.

One-Time Authorization request body:

  1. Card
  2. Token
  3. Apple Pay
  4. Google Pay
  5. Network Token
  6. Apple Pay decrypted
{
    "transactionReference": "Memory265-13/08/1876",
    "merchant": {
        "entity": "MindPalaceLtd"
    },
    "instruction": {
        "narrative": {
            "line1": "Mind Palace"
        },
        "value": {
            "currency": "GBP",
            "amount": 250
        },
        "paymentInstrument": {
            "type": "card/plain",
            "cardNumber": "4444333322221111",
            "cardExpiryDate": {
                "month": 5,
                "year": 2035
            }
        }
    }
}

Parameter descriptions

ParameterRequiredDescription
transactionReferenceA unique reference generated by you that is used to identify a payment throughout its lifecycle. See transaction reference format, for more details and the best practices.
merchantAn object that contains information about the merchant.
merchant.entityDirect your payment to assist with billing, reporting and reconciliation. This is mandatory for authentication and queries.
Contact your Implementation Manager for more details.
merchant.mccYou can apply a merchant category code (mcc) to an individual request. You can only provide an mcc if we have enabled the dynamic mcc feature during boarding. If enabled but not provided, merchant.mcc defaults to a configured value. For more information contact your Relationship Manager.
merchant.paymentFacilitatorAn object containing Payment Facilitator information. This information is required for every authorization only if you are a Payment Facilitator:
  • pfId
  • isoId
  • subMerchant.merchantId
  • subMerchant.postalcode
  • subMerchant.street
  • subMerchant.city
  • subMerchant.countryCode
  • subMerchant.telephone (mandatory for Amex)
  • subMerchant.email (mandatory for Amex)
You can find more formatting information here.
channelThe payment channel indicates the interaction of the cardholder with the merchant. Possible value :
  • moto
Supply a value of moto to process an authorization as a Mail Order or Telephone Order (MOTO) transaction. If channel is not provided, the authorization will be processed as ecommerce by default.
Note
3DS authentication data cannot be supplied for MOTO payments.
instructionAn object that contains all the information related to the payment.
instruction.narrativeThe text that appears on your customer's statement. Used to identify the merchant.
See narrative format for more details and best practices.
narrative.line1The first line of the narrative which appears on your customer's statement (24 characters max. If character is not supported it is replaced with a space.).
See narrative line1 format for more details.
narrative.line2Additional details about the payment e.g. order number, telephone number.
instruction.valueAn object that contains information about the value of the payment.
instruction.debtRepaymentDRI is a flag which identifies a payment as being for the purpose of repaying a debt. Possible value :
  • true (only supply if true)
For more information contact your Relationship Manager.
value.currencyThe three digit currency code.
See list of supported currencies.
instruction.valueAn object that contains information about the value of the payment.
value.amountThe payment amount. This is a whole number with an exponent e.g. if exponent is two, 250 is 2.50. You can find the relevant exponent in our currency table.
instruction.paymentInstrumentAn object that contains the payment type and details.
To use "tokens" as a paymentInstrument you must first create a token.
paymentInstrument.cardHolderNameAn object that contains your customer's card name.
This is not a mandatory field however it is recommended that you supply this to improve authorization rates. If not sent, the default value is "Not Supplied".
paymentInstrument.cardExpiryDateAn object that contains your customer's card expiry date.
Mandatory for all "type": "card/plain" requests.
paymentInstrument.cardNumberAn object that contains your customer's card number. Mandatory for "type": "card/plain" requests.
paymentInstrument.cvcCVC is a unique set of 3 or 4 numbers on the back of the card. Our API checks to see if the CVC supplied matches the CVC held by the issuing bank.
paymentInstrument.billingAddressAn object containing the billing address information. If included you must send at least:
  • address1
  • city
  • countryCode
  • postalCode
This is used for Address Verification Service (AVS) and can only be supplied with a card/plain,card/wallet+applepay or card/wallet+googlepay payment instrument. Our API checks the submitted AVS to see if it matches the address registered with the issuing bank. If the address supplied does not match the registered address it means that the payment carries additional risk.
customer.riskProfileUsed to apply the SCA exemption in the payment request and update the FraudSight data model to benefit future payments.

FraudSight

Link your FraudSight assessment with your payment using the riskProfile. This allows the fraud model to learn and improve the risk health of future payments.

"customer": {
    "riskProfile": "https://try.access.worldpay.com/riskProfile/ewogICJ2IiA6IDEsC"
  }

Full a full request example please see our optional parameters section.

SCA Exemptions

Link your Exemption assessment with your payment using the riskProfile. This allows the exemption to be applied to your payment authorization.

"customer": {
    "riskProfile": "https://try.access.worldpay.com/riskProfile/ewogICJ2IiA6IDEsC"
  }

Full a full request example please see our optional parameters section.

3DS

3DS authorization request parameter descriptions

To get the customer authentication object you must complete an authentication request using our 3DS API.

  1. 3DS2 Card
  2. 3DS2 Token
{
    "transactionReference": "Memory265-13/08/1876",
    "merchant": {
        "entity": "MindPalaceLtd"
    },
    "instruction": {
        "narrative": {
            "line1": "trading name"
        },
        "value": {
            "currency": "GBP",
            "amount": 250
        },
        "paymentInstrument": {
            "type": "card/plain",
            "cardNumber": "4444333322221111",
            "cardExpiryDate": {
                "month": 5,
                "year": 2035
            }
        }
    },
    "customer": {
        "authentication": {
            "version": "2.1.0",
            "type": "3DS",
            "eci": "05",
            "authenticationValue": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=",
            "transactionId": "c5b808e7-1de1-4069-a17b-f70d3b3b1645"
        }
    }
}
Note
  • 3DS1 is supported in certain regions only
  • 3DS data cannot be supplied for MOTO transactions.

The descriptions of parameters from your 3DS authorization request

ParameterRequiredDescription
customerAn object containing the result of your customer's verification. For more details see 3DS verification.
authentication.type3DS
authentication.versionThe version of 3DS used to process the transaction.
For 3DS1 - 1.0.2
For 3DS2 - 2.1.0 or 2.2.0
Note
Required for Mastercard's Identity Check transactions in Authorization.
authentication.eciElectronic Commerce Indicator (ECI).
Indicates the outcome of the 3DS verification.
  • 02 or 05 - Fully Authenticated Transaction
  • 01 or 06 - Attempted Authentication Transaction
  • 00 or 07 - Non 3-D Secure Transaction
  • Mastercard - 02, 01, 00
  • Visa - 05, 06, 07
  • Amex - 05, 06, 07
  • JCB - 05, 06, 07
  • Diners - 05, 06, 07
authentication.authenticationValueRequired, if authentication.eci value is 01, 02, 05 or 06.
A cryptographic value that provides evidence of the outcome of a 3DS verification.
  • Visa - Cardholder Authentication Verification Value (CAVV)
  • Mastercard - Universal Cardholder Authentication Field (UCAF)
authentication.authenticationValue must be 28 digits max and must be base64-encoded.
authentication.transactionIdRequired, if authentication.eci value is 01, 02, 05 or 06.
A unique authentication transaction identifier, generated by the issuer.

For version 3DS1: transactionId is base64-encoded and 28 digits in length.
For version 3DS2: transactionId follows RFC 4122 UUID standard and is 36 characters in length.
authentication.cryptogramAlgorithmIndicates the algorithm used to generate the cryptogram.
For Cartes Bancaires authorizations only.
authentication.challengePreferenceIndicates the preferred challenge behavior.
  • noPrefrence
  • noChallengeRequested
  • challengeRequested
  • challengeMandated

For Cartes Bancaires authorizations only.
authentication.authenticationFlow
  • challenge - Your customer was redirected to their bank to complete authentication
  • frictionless - Your customer completed authentication without needing to be redirected to their bank

For Cartes Bancaires authorizations only.
authentication.statusReasonProvides further information relating to the outcome of the authentication. Returned for failed authentications only.
For Cartes Bancaires authorizations only.
authentication.cancellationIndicatorAn indicator as to why the authentication was cancelled.
  • - 01 - Cardholder selected cancel
  • - 02 - Reserved for future use
  • - 03 - Authentication timed out
  • - 04 & 05 - Authentication timed out at ACS provider
  • - 06 - Transaction error
  • - 07 - Unknown
  • - 08 - Transaction timed out at SDK

For Cartes Bancaires authorizations only.
authentication.networkScoreThe global score calculated by the Cartes Bancaires scoring platform.
For Cartes Bancaires authorizations only.
authentication.brandThe card brand used in the authentication.
For Cartes Bancaires authorizations only.

Optional parameters

Example One-Time Authorization request (all parameters)

The requests below contain all the mandatory and optional fields needed for a successful authorization request.

Full authorization request body:

  1. Card All
  2. Token All
  3. 3DS2 Card All
  4. 3DS2 Token All
  5. Apple Pay
  6. Google Pay
  7. Network Token
  8. Apple Pay decrypted
  9. 3DS2 Cartes Bancaires Card All
  10. 3DS2 Cartes Bancaires Token All
{
    "transactionReference": "Memory265-13/08/1876",
    "merchant": {
        "entity": "MindPalaceLtd",
        "mcc": "1234",
        "paymentFacilitator": {
            "pfId": "12345",
            "isoId": "12345",
            "subMerchant": {
                "name": "John",
                "merchantId": "12345",
                "postalCode": "SW1 1AA",
                "street": "Regent Street",
                "city": "London",
                "state": "WSM",
                "countryCode": "826",
                "taxId": "ABC-123456789",
                "email": "test@email.com",
                "telephone": "+447987 654321"
            }
        }
    },
    "channel": "moto",
    "instruction": {
        "debtRepayment": true,
        "narrative": {
            "line1": "Mind Palace Ltd",
            "line2": "Memory265-13/08/1876"
        },
        "value": {
            "currency": "GBP",
            "amount": 250
        },
        "paymentInstrument": {
            "cvc": "123",
            "billingAddress": {
                "address1": "221B Baker Street",
                "address2": "Marylebone",
                "address3": "Westminster",
                "postalCode": "NW1 6XE",
                "city": "London",
                "state": "Greater London",
                "countryCode": "GB"
            },
            "type": "card/plain",
            "cardHolderName": "Sherlock Holmes",
            "cardNumber": "4444333322221111",
            "cardExpiryDate": {
                "month": 5,
                "year": 2035
            }
        }
    },
    "customer": {
        "riskProfile": "https://try.access.worldpay.com/riskProfile/ewogICJ2IiA6IDEsC"
    }
}

Response

Best Practice

Access Worldpay returns a WP-CorrelationId in the headers of service responses. We highly recommend you log this. The WP-CorrelationId is used by us to examine individual service requests.

Successful payment

You receive:

paymentInstrument

The "paymentInstrument" object is returned if we are able to provide information related to the underlying card used in the authorization request.

Note

Note that if the paymentInstrument object is returned, there is no guarantee that each field listed below will be returned with every transaction.

ParameterDescription
paymentInstrument.typeThe type of paymentInstrument. Eg:
  • card/plain+masked
  • card/network+masked
  • card/network
paymentInstrument.card.brandThe card brand. Sometimes referred to as the network or scheme. Eg:
  • "visa"
  • "mastercard"
  • "amex"
paymentInstrument.card.number.binThe card bin. Eg:
444433
Note
this may contain the * character.
paymentInstrument.card.number.last4DigitsThe last four digits of the card. Eg:
1111
Note
this may contain the * character, where the card number is less than 16 digits.
paymentInstrument.card.expiryDate.monthThe card expiry month. Eg:
11
paymentInstrument.card.expiryDate.yearThe card expiry year. Eg:
2025
paymentInstrument.card.fundingTypeHow the card is funded. Eg:
  • credit
  • debit
  • prepaid
  • deferredDebit
  • chargeCard
paymentInstrument.card.categoryWhether the card is classed as a consumer card or a card for commercial use. Eg:
  • consumer
  • commercial
paymentInstrument.card.countryCodeThe alpha-2 ISO-3166 country code that the card was issued in. May return "N/A" where the country is unknown. Eg:
GB
paymentInstrument.card.issuer.nameThe name of the card issuer. Eg:
Some Issuer PLC.
paymentInstrument.card.paymentAccountReferenceThe payment account reference (PAR) is a non-financial reference that uniquely identifies the underlying cardholder account. This allows you to correlate payments made with differing instruments (e.g. "card/plain" and "card/wallet+applepay"), where the same account funds the transaction. A PAR cannot be used to intiate a payment. Eg:
ABC123DEF456GHI789JKL123MNO45

Refused payment

You receive:

  • an HTTP code 201
  • an "outcome": "refused"
  • a refusal code
  • a description which gives additional context on the refusal
  • a refusal advice code (only if returned by the card scheme and acquirer)
  • risk factors (only returned if issuer identifies conflict)
  • an exemption result and reason (only if you supplied a risk profile to request an SCA exemption)
  • a paymentInstrument

Example response

  1. Card/Token/3DS1/3DS2
  2. Apple Pay/Google Pay
  3. Refusal
  4. Refusal Apple Pay/Google Pay
{
    "outcome": "authorized",
    "riskFactors": [{
            "risk": "not_matched",
            "type": "cvc"
        },
        {
            "risk": "not_checked",
            "detail": "postcode",
            "type": "avs"
        },
        {
            "risk": "not_matched",
            "detail": "address",
            "type": "avs"
        }
    ],
    "exemption": {
        "result": "honored",
        "reason": "issuerHonored"
    },
    "issuer": {
        "authorizationCode": "12345A"
    },
    "paymentInstrument": {
        "type": "card/plain+masked",
        "card": {
            "brand": "visa",
            "number": {
                "bin": "444433",
                "last4Digits": "1111"
            },
            "expiryDate": {
                "month": 12,
                "year": 2025
            },
            "fundingType": "credit",
            "category": "consumer",
            "issuer": {
                "name": "Some Issuer PLC"
            },
            "paymentAccountReference": "ABC123DEF456GHI789JKL123M"
        }
    },
    "_links": {
        "payments:cancel": {
            "href": "https://try.access.worldpay.com/payments/authorizations/cancellations/eyJrIjoiazNhYjYzMiJ9"
        },
        "payments:settle": {
            "href": "https://try.access.worldpay.com/payments/settlements/full/eyJrIjoiazNhYjYzMiJ9"
        },
        "payments:partialSettle": {
            "href": "https://try.access.worldpay.com/payments/settlements/partials/eyJrIjoiazNhYjYzMiJ9"
        },
        "payments:events": {
            "href": "https://try.access.worldpay.com/payments/events/eyJrIjoiazNhYjYzMiJ9"
        },
        "curies": [{
            "name": "payments",
            "href": "https://try.access.worldpay.com/rels/payments/{rel}",
            "templated": true
        }]
    }
}

You can use the payments:settle action link to settle the payment straight away. Alternatively you can cache the response and use the link to settle the payment later.

Note
In case of an error, you can get further information in our error reference.

riskFactors

To reduce the probability of processing a fraudulent payment, supply your customer's billing address and cvc in your authorization request.

We check this with your customer's issuing bank and include any conflicts in our response.

The riskFactors array is returned only if there is a risk associated with the authorization request. The riskFactors array returns an object for avs, cvc or riskProfile only if this information was included in the authorization request and if any risk was identified.

The table below describes the response parameters:

ParameterDescription
riskFactors.typeReturns avs, cvc or riskProfile
riskFactors.detailFor avs only.
Returns postcode or address
riskFactors.riskReturns not_checked, not_matched, not_supplied or verificationFailed

exemptions

An exemption result and reason if a risk profile was included in your authorization request.

The table below describes the response parameters:

ParameterDescription
exemption.resultReturns honored, outOfScope, rejected or unknown
exemption.reasonFor honored, returns issuerHonored or unknown.
For outOfScope, returns merchantInitiatedTransaction, oneLegOut, moto, contactless or unknown.
For rejected, returns issuerRejected, highRisk, invalid, unsupportedScheme, notSubscribed, unsupportedAcquirer or unknown

Soft declines

The issuer responds with a soft decline (refusal code 65), if no exemption has been applied to the payment. The next logical step for this is to proceed with 3DS authentication.

Next steps


Settle or cancel a payment