1.0 Guide Swish API 170324 Utan ändringsmarkering
User Manual:
Open the PDF directly: View PDF .
Page Count: 36
Download | |
Open PDF In Browser | View PDF |
Version 1.6 Guide Swish API Integration Guide Datum: 2017/03/24 Table of content 1 2 Introduction ....................................................................................................................................... 5 1.1 Terms and definitions ................................................................................................................ 5 1.2 Document purpose .................................................................................................................... 6 1.3 Swish overview ......................................................................................................................... 6 1.4 Payment .................................................................................................................................... 6 1.4.1 Swish e-commerce ............................................................................................................ 6 1.4.2 Swish m-commerce ........................................................................................................... 7 1.5 Refund ....................................................................................................................................... 8 1.6 Security ..................................................................................................................................... 8 Use Cases ........................................................................................................................................ 9 2.1 Swish handel application procedure ......................................................................................... 9 2.2 Payment request in the Swish app ......................................................................................... 10 2.2.1 Swish m-commerce ......................................................................................................... 10 2.2.2 Swish e-commerce .......................................................................................................... 11 2.2.3 Reject payment ................................................................................................................ 11 2.3 Refund ..................................................................................................................................... 11 2.4 Termination Swish handel ....................................................................................................... 12 3 Technical Requirements................................................................................................................. 12 4 Merchant Setup Process ................................................................................................................ 12 5 4.1 Technical Integration ............................................................................................................... 12 4.2 Managing certificates .............................................................................................................. 13 4.3 Revoking a certificate .............................................................................................................. 13 Launching Swish app from merchant app ...................................................................................... 14 5.1 Detecting if Swish app is installed on the device .................................................................... 14 5.1.1 iOS (detect) ...................................................................................................................... 14 5.1.2 Android (detect) ............................................................................................................... 14 5.1.3 Windows Phone (call the Swish app) .............................................................................. 15 5.1.4 Detection with mobile web browsers ............................................................................... 15 5.2 Switch to Swish app, and back ............................................................................................... 16 5.2.1 iOS ................................................................................................................................... 16 5.2.2 Android ............................................................................................................................. 17 5.2.3 WinPhone ........................................................................................................................ 18 5.2.4 JavaScript calls and open Swish ..................................................................................... 19 5.2.5 For Chrome version >= 24 ............................................................................................... 19 6 Test Environment ........................................................................................................................... 20 7 Production Environment ................................................................................................................. 20 © Swish 2 8 Guidelines for using the Swish API ................................................................................................ 20 8.1 Consumer in control of payment requests .............................................................................. 20 8.2 Use the call-back for payment requests and refunds ............................................................. 21 8.3 Refund transactions – avoid large batches ............................................................................. 21 8.4 Renewal of Client TLS Certificate ........................................................................................... 21 8.5 Displaying the Swish alias to consumers ................................................................................ 21 9 Versioning the Web Service API .................................................................................................... 21 9.1 10 Versions .................................................................................................................................. 21 Support ....................................................................................................................................... 22 10.1 Deployment support ............................................................................................................ 22 10.2 Operating information .......................................................................................................... 22 11 Swish API Description ................................................................................................................ 23 11.1 Payment Request ................................................................................................................ 23 11.1.1 Swish e-commerce .......................................................................................................... 23 11.1.2 Swish m-commerce ......................................................................................................... 24 11.1.3 Create Payment Request ................................................................................................ 24 11.1.4 Retrieve Payment Request .............................................................................................. 26 11.1.5 Callback ........................................................................................................................... 27 11.2 Payment Refund .................................................................................................................. 28 11.2.1 Create Refund.................................................................................................................. 29 11.2.2 Retrieve Refund ............................................................................................................... 30 11.2.3 Callback ........................................................................................................................... 31 11.3 Objects ................................................................................................................................ 31 11.3.1 Payment Request Object ................................................................................................. 31 11.3.2 Refund Object .................................................................................................................. 34 11.3.3 Error Object...................................................................................................................... 35 © Swish 3 Date Version 2015-11-13 0.9.8 2015-12-08 0.9.8.1 Claes Scheffer 2015-12-10 0.9.8.2 Claes Scheffer 2015-12-15 0.9.8.3 Claes Scheffer 2016-01-18 1.0 PJ 2016-02-12 1.1 2016-04-22 1.2 Sylvain Schüpp Roland Mattsson Sylvain Schüpp 2016-10-04 1.3 David Selander 2016-12-13 1.4 David Selander © Swish Name Description Version 0.9.8 Changed document name to Guide Swish API. 1.3 Changed some wording. 2.1 Added personal information that needs to be registered about the CPOC. 3 Added information about port. 4 Added guidelines for handling keys and certificate. 8.2 Added refund. 11.1.3 Changed url in code examples. 11.1.4 Changed url in code examples. 11.1.5 Added information about time outs. 11.2.1 Deleted error codes AC05, AC06, AC07, AC15, AM04, AM14, AM21, and DS0K. Added error code RF07. Changed url in code examples. 11.3.1 Clarified mandatory, optional and response parameters. Deleted error codes AC05, AC06, AC07, AC15, AM04, AM14, AM21, and DS0K. Added error code RF07. 11.3.2 Clarified mandatory, optional and response parameters. Deleted error codes AC05, AC06, AC07, AC15, and AM04. Added error code RF07. 7 Corrected Swish API URL for paymentrequests 3 Complemented information about the requirement of TLS certificate for callback endpoint. 11.1.3 Changed payerAlias number format in example. 11.1.4 Changed payerAlias number format in example. 11.2.2 Added possible statuses. Changed payerAlias number format in example. 11.2.3 Added DEBITED. 11.3.2 Changed CREATED to VALIDATED. 1.5.1 Changed text. 1.5.2 Corrected text. 5.1.1 Corrected text and Changed the heading for Windows phone example. Created document version 1.0. 5 Reformatting of code example, App Section updated. 11.1.4, change m to e-commerce 11.2.1 Change payerAlias to 1231181189 11.2.2 Change payerAlias to 1231181189 11.3.1 Changed text for errorcode RF07 Added error code BANKIDONGOING 11.3.2 Changed text for errorcode RF07 4 2017-02-22 1.5 Oscar Jonsson David Selander 2017-03-24 1.6 David Selander Added 5.2.4 JavaScript calls Swish Added 5.2.5 For Chrome version >= 24 Changed text 11.1 Payment Request 11.1.5 Cutofftimer changed from 8/5 min to 3 min 11:3:1 Added errorcode BANKIDUNKN 3. SNI not supported. 1 Introduction 1.1 Terms and definitions Term Definition Partner A partner is a company, working with technical integrations, app development, platform development and/or payment services that may help and facilitate merchant integration and operation for Swish. Banks have agreements with the merchants who in turn may have an agreement with a partner. Merchant A merchant is a company, association or organisation which receives payments via Swish. Merchants sign Swish agreements with their respective bank. Merchant Swish Simulator The Merchant Swish Simulator is a test tool to test the Swish-API. Consumer A consumer is a private Swish customer that can use the Swish app on a mobile device. Swish handel Swish handel gives the merchants the possibility to use Swish as a payment method in m- and e-commerce. The service is aimed primarily for m- and ecommerce stores, via apps and browsers. Swish handel consist of two different payment solutions; Swish m-commerce and Swish e-commerce, a security solution and a function for refunds. All of them are reachable for the merchants through Swish API. The service can be offered by the banks under a different product name than Swish handel. Swish m-commerce Swish payments from a mobile device made either through an app or via a mobile browser on the same mobile device. Swish e-commerce Swish payments initiated by the consumer in a browser in equipment other than the mobile device that hosts the Swish app. Swish customer This is any customer to Swish, either a consumer (person) or a merchant. Payee This is the Swish customer that receives the payment Payer This is the Swish customer that makes the payment Alias A unique identifier for a Swish customer. For a consumer it is the mobile number and for a merchant it is the Swish number. © Swish 5 Payment request A payment request is a transaction sent from a merchant to the Swish system to initiate an e-commerce or m-commerce payment. Payee Payment Reference A payee payment reference is the merchant’s own identifier of the transaction/order to be paid. It is sent to the Swish system as a parameter to the payment request and is later returned in confirmation messages. Refund A refund is a transaction sent from the merchant to the Swish system to return the whole amount or part of a payment. The reference to the original payment must be provided. 1.2 Document purpose The integration guide is for anyone who wishes to understand and implement Swish handel in their services and systems. The integration guide explains how to connect to the Swish API and includes information about the payment and refund options related to the Swish handel service. More information about the service can be found at https://www.getswish.se/handel. 1.3 Swish overview By enrolling to the service Swish handel at the merchant’s bank and getting access to the Swish API, merchants can handle payments in e-commerce and m-commerce scenarios in a way which is very convenient and familiar to millions of Swedish consumers. The service builds on the ease-of-use of the person-to-person payment service. Enrolled to the service the merchant can receive payments from all private persons using Swish. It is also possible for merchants to make refunds in real time using Swish using the API. Some banks will also provide the possibility to initiate refunds from the bank’s digital channels. In brief, a payment involves the following steps: The merchant creates a payment request using the Swish API that the consumer views and accepts in the Swish app. The consumer and the merchant receive payment confirmations instantly when the amount has been transferred from the consumer’s to the merchant’s account. For security reasons the payment request is only valid during a limited period time for the consumer in the Swish app. When enrolling to the service, the merchant obtains a Swish alias to one of the merchant’s bank accounts. The merchant will also give authorize Certificate Point of Contact persons during enrollment. These persons will use the Swish Certificate Management System to manage digital certificates, which is one component of securing the access to the API. The business transaction when a payment is made using Swish is between the merchant and the consumer and this transaction implies that the consumer makes an advance payment for purchased goods or services. 1.4 Payment It is always the consumer that initiates a payment, and there are two ways to do it; Swish e-commerce or Swish m-commerce. 1.4.1 Swish e-commerce © Swish 6 The consumer initiates the payment on the merchant’s web shop. In this case the consumer needs to open the Swish-app. The consumer opens the Swish app, which is preloaded with payment information. The consumer signs the payment with Mobile BankID A payment confirmation is shown in the Swish app. 1.4.2 Swish m-commerce © Swish 7 The consumer initiates the payment on the merchant’s app using a mobile device. In this case the consumer does not need to open the Swish-app. The consumer chooses to pay with Swish from the merchant’s app or website. The Swish app is activated automatically and preloaded with payment information. The consumer signs the payment with Mobile BankID. The consumer gets the payment confirmation in the merchant’s app or website. 1.5 Refund A merchant that has received a Swish payment can refund the whole or part of the original transaction amount to the consumer. A refund can only be done on an existing payment. The number of refunds on one payment is unlimited, until the total amount reaches the amount of the original payment. A payer Order payment reference ID and message to the consumer can be attached to the refund but these are optional. If the refund is successful, a message will be sent to the payee’s app. A refund can be made on a payment for 12 months. 1.6 Security In order to protect the Swish API and to ensure the identity of the parties, the security solution encrypts the traffic and authenticates the identities of the merchant and Swish server. The security solution is implemented as PKI based TLS client/server certificates, where the certificates are issued upon order by the merchant or someone appointed by the merchant. A certificate is valid for 2 years. A merchant appoints up to 5 persons via their bank, who will be able to logon to an administrative GUI connected to the security solution (identified by BankID/BxID on card or Mobile BankID). An appointed © Swish 8 person can administer their certificates using the GUI. An administration of certificates includes view, order new/download and revoke. 2 Use Cases The user stories below act as example to increase the understanding of the service Swish handel on a high level. 2.1 Swish handel application procedure This user story describes on a high level how a merchant applies for the service Swish handel. 1. The merchant contacts a Swish connected bank to sign an agreement for the service. 2. The merchant confirms the business terms and signs the agreement with the bank. a. The bank obtains and registers the necessary merchant information, including info about the appointed recipients of the API certificate - CPOC (Certificate Point Of Contact). The following personal information is mandatory about the CPOC: Social Security Number, Name, Company Registration Number. Optionally, some banks will also require additional information such as E-mail and phone number. b. A Swish number is created for the agreement. c. The bank sends an enrollment request to Swish security solution. 3. The security solution receives and registers info about the CPOC connected to the Swish number. The CPOC’s are granted access to the certificate management system in the Swish security solution. 4. The merchant is now ready for Swish API access. © Swish 9 5. The merchant or the partner needs to generate a csr-file (Certificate Signing Request). This is normally done by the CPOC. 6. The CPOC logs in to the certificate management system using Mobile BankID, BankID on card or BxID and creates the certificate. 7. The CPOC installs the certificate in the merchant’s server and connects it to Swish API. If needed, Swish support function can assist with the connection. 8. The merchant verifies the connection. 2.2 Payment request in the Swish app 2.2.1 Swish m-commerce The m-commerce flow should be used when the Swish app is on the same device as the merchant’s mobile site or app – hence a mobile device. 1. Consumer chooses to pay with Swish for a product or a service in the merchant app. 2. The merchant sends a payment request to the Swish system using the API. a. The transaction contains data such as: amount, receiving Swish-number, merchant (payee) payment reference and an optional message to the consumer. 3. The merchant receives a Request Token. 4. Consumer’s Swish app is opened automatically by the merchant’s site or app showing the payment section that is preloaded with payment information. a. The app is opened with the request token as a parameter. 5. Consumer clicks Pay (”Betala”) and the Mobile BankID app opens automatically for signature of the payment transaction. 6. Consumer confirms the payment transaction by signing with the Mobil BankID using his/her password. 7. The amount is transferred in real-time from the consumer’s account to the merchant’s account. 8. Consumer is linked back to the merchant app for payment transaction confirmation. a. Note: the confirmation screen in Swish-app is not displayed in this flow. 9. The merchant receives a confirmation of successful payment. 10. Consumer can view the payment in the events section “Händelser” as a sent payment in the Swish app. © Swish 10 2.2.2 Swish e-commerce The e-commerce flow should be used when the Swish app is on another device than the merchant’s site. 1. Consumer chooses to pay with Swish for a product or a service at the merchant website and enters his/her mobile phone number which is enrolled to Swish. 2. Information on the merchant website should inform the consumer to open the Swish app to confirm the transaction. 3. The merchant sends a payment request to the Swish system using the API. a. The transaction contains data such as: amount, receiving Swish-number, consumer’s mobile phone number, merchant payment reference and an optional message to the consumer. 4. Consumer opens the Swish app showing the payment section, which is preloaded with the information in the payment request. 5. Consumer clicks Pay (”Betala”) and the Mobile BankID app opens automatically for signature of the payment transaction. 6. Consumer confirms the payment transaction by signing with the Mobil BankID using his/her password. 7. The amount is transferred in real-time from the consumer’s account to the merchant’s account. 8. Consumer receives a payment confirmation in the Swish app. 9. The merchant receives a confirmation of successful payment. 10. Consumer receives a payment confirmation at the merchant website. 11. Consumer can view the payment in the event section “Händelser” as a sent payment in the Swish app. 2.2.3 Reject payment Consumer wants to dismiss the payment request in the Swish app and clicks on “Avbryt”. The rejected payment request is deleted from the Consumer’s Swish app. 2.3 Refund There are two ways to make a refund: through the bank channel or through the API channel. This section describes the API channel on a high level. As a merchant, I have received a Swish payment and wish for some reason to refund the whole or part of the original amount to the payer. The merchant chooses which payment that is to be completely or partially refunded. The merchant specifies the refund amount and sends the refund. The merchant will also be able to send its own information that will be shown to the payer in the event section in the Swish app, and also on the payee bank account statement. The information will also be used by the company for tallying. The merchant receives a confirmation that the refund has been completed. As recipient of a refund, the payee receives a payment notification in the Swish app. The payment notification is marked "Återbetalning" in the event section in the Swish app. Alternative flow – ”payment notification”: In cases when the recipient of a refund cannot receive data push notifications at the moment, the refund will be visible in the Swish app next time the recipient logs in. The refund will also appear in the recipient´s bank account statement. © Swish 11 Alternative flow – ”refund receiver not connected to Swish”: In cases when the recipient of a refund has terminated the Swish agreement since the original payment occurred, the merchant will receive an error message stating that the refund cannot be processed. Refund must in this case be done via another channel. 2.4 Termination Swish handel 1. The merchant terminates the agreement with the bank. The service will stop working. 2. The merchant is responsible for termination/revocation of the API certificates. 3. Refunds will not be possible to do on the terminated Swish number. 3 Technical Requirements The Swish server requires TLS 1.1 or higher. The merchant must be able to receive the callback HTTPS POST request from the Swish server over TLS. The callback endpoint has to use HTTPS on port 443 and it is highly recommended to use IP filtering as well. For the callback Swish will be acting client and the merchant server is acting server. Swish will validate the merchant callback server TLS certificate against a list of commonly recognized CAs. For now that Swish API does not support Server Name Indication (SNI) for the callback functionality. 4 Merchant Setup Process 4.1 Technical Integration In order to integrate a merchant commerce solution with Swish API the merchant needs to get a client TLS certificate from Swish Certificate Management and install it on their server. The certificate will be used for client authentication of TLS communication with Swish API. The following steps need to be performed: 1. Generate a pair of 2048 bits RSA keys on your server and create a certificate request (CSR) in a PKCS#10 format. This step depends on the type of web server solution that is used and differs between different types of servers. The keys are usually generated to a so-called keystore (e.g. Java keystore, Microsoft Windows keystore) or file (e.g. openSSL on Apache/Tomcat). For details please consult your web solution documentation or your supplier. Note: The following examples are to be considered regarding secure handling of cryptographic keys and certificates. The Customer’s keys should be installed by the Customer in secure cryptographic units or should be protected in a similar manner. The keys should only be installed on units necessary for production and back-up purposes. The keys should be deleted at all instances when no longer operational. The keys should at all times be stored with strong encryption and protected using passwords or more secure procedures, e.g. smart-cards. Passwords used to protect the keys should be handled two jointly and are to be stored in a secure manner so they cannot be lost or subjected to unauthorized access. It is highly important to protect the private key from unauthorized access. It is recommended to protect the keys with a password if your server provides this option. Care should be taken to protect the passwords as well. © Swish 12 There are no requirements on the content of the CSR (names or other parameters), except for the keys that need to be 2048-bit RSA. It is possible to install the same certificate on several servers (depending on technical server setup, but no license limitations), or to issue one key pair and certificate per server. 2. Login to Swish Certificate Management at https://getswishcert.bankgirot.se by using mobile BankID, BankID on card or BxID. Only the person(s) registered by the bank for a specific merchant will be able to perform this step. 3. Provide the organizational number of the merchant and the Swish number for which a certificate is to be generated. 4. Choose tab "New certificate" and paste the content of the generated CSR into the text field. Choose whether the certificate should to be in PKCS#7 or PEM format. Consult your documentation regarding which format suits your solution. 5. A new certificate is generated and provided on the screen. Copy the text string and save it to a file. The response (PKCS#7 or PEM) will contain your client certificate and all CA certificates up to the Swish root. 6. Import the generated certificate and all CA certificates to your server. For details on how to perform this step consult your web solution documentation or your supplier. 7. The Swish server is set up with a TLS server certificate, which needs to be verified when initiating TLS from your web server to Swish. Choose to trust Swish Root CA (o=Getswish AB, ou=Swish Member CA, cn=Swish Root CA v1). The certificate chain for the Swish server TLS certificate, i.e. the Swish Root CA certificate and the Intermediate CA certificate, are available via the Certificate Management GUI via the link “Download Swish server TLS certificate”. For details on how to perform this step consult your web solution documentation or your supplier. After performing the steps 1 - 7 you should be able to set up TLS with the Swish API. Note: It is necessary provide the generated certificate together with all CA certificates up to the Swish Root CA in order to correctly set up a TLS session with the Swish API. Note: No error messages will be returned before a TLS session is successfully established with the Swish API. This means that if the wrong certificate has been used, if the validity time of the certificate has expired, or if the certificate has been revoked, no indication of this is given. Note: It is recommended to require verification of the Swish API TLS certificate and not to ignore this verification, in case your server allows you to disable server certificate verification. 4.2 Managing certificates Login to Swish Certificate Management at https://getswishcert.bankgirot.se by using mobile BankID, BankID on card or BxID. Only the person(s) registered by the bank for a specific merchant will be able to perform this step. Provide the organizational number of the merchant and the Swish number for which a certificate is to be managed. After logging in a list is provided with all certificates associated with the specific merchant and Swish number, and the status of them. By clicking on “Download” it is possible to see further details and to attain the certificate again. 4.3 Revoking a certificate © Swish 13 If the integrity of the merchant’s private key has been compromised, if a certificate has been replaced by a new one, if the service has been terminated, or if the merchant needs to revoke a certificate for some other reason, this can be done via the Swish Certificate Management. Login to Swish Certificate Management at https://getswishcert.bankgirot.se by using mobile BankID, BankID on card or BxID. Only the person(s) registered by the bank for a specific merchant will be able to perform this step. Provide the organizational number of the merchant and the Swish number for which a certificate is to be revoked. After logging in a list is provided with all certificates associated with the specific merchant and Swish number, and the status of them. By clicking on the trash can it is possible to revoke a specific certificate. Please be aware that the certificate is irreversibly revoked and that revoking a certificate that is in use may lead to an interruption of the service. 5 Launching Swish app from merchant app 5.1 Detecting if Swish app is installed on the device Merchant apps, excluding web browsers, can detect if the Swish app is installed on the device. Below are code snippets that shows this. Notice that it is not possible from a Windows Phone application to detect if the Swish app is installed on the device. 5.1.1 iOS (detect) static inline bool isSwishAppInstalled(void) { return [[UIApplication sharedApplication canOpenURL:[NSURL URLWithString:@"swish://"]]; } 5.1.2 Android (detect) © Swish 14 //Swish package name is “se.bankgirot.swish” protected boolean isSwishAppInstalled(Context _context, String SwishPackageName) { boolean isSwishInstalled = false; try { _context.getPackageManager().getApplicationInfo(SwishPackageName, 0); isSwishInstalled = true; } catch(PackageManager.NameNotFoundException e) { } return isSwishInstalled; } 5.1.3 Windows Phone (call the Swish app) // The URI to launch string uriToLaunch = @"swish://paymentrequest"; // Create a Uri object from a URI string var uri = new Uri(uriToLaunch); // Launch the URI async void DefaultLaunch(){ // Launch the URI var success = await Windows.System.Launcher.LaunchUriAsync(uri); if (success) { // URI launched } else { // URI launch failed } } 5.1.4 Detection with mobile web browsers The investigation of the abilities to determine if Swish is installed on a device shows that there is an absence of a standard, documented way to do this from the web browsers. The found workaround is based on the time during which the return to the browser was performed. The idea of this approach is that JavaScript code on current page will be frozen right after calling Swish application because the control flow will be given to the Swish if it started successfully. Control flow will be returned back to JavaScript when Swish will be finished. Thus if the JavaScript code continue executing after short time from the moment of the trying to call Swish - this means that Swish is not installed on the device. The JavaScript code snippet given below: © Swish 15 //remember the time of start application timestart = new Date().getTime(); //try to run application (Swish) in the frame by opening custom URL-SCHEME createIFrame(url+"&browser="+browserName+"&back="+encodeURIComponent(location.toString())+"&us eragent="+encodeURIComponent(userAgent)); //remember time of returning from application timeend = new Date().getTime(); //if from the moment of the attempt //control returns back to this code //most probably this means that the //the user spent the time using the to run the application to moment when the passed enough much time (more then 3 sec), application was successfully started and application if(timeend — timestart > 3000) { isSwishInstalled = true; } else { isSwishInstalled = false; } But, as investigations show, this approach does not work for WinPhone and Android Chrome version 25 and newer. Moreover, because Android’s default browser is now based on Chrome core, this is also true for default browser. In the 3 variants, WinPhone browser (Internet Explorer), Android default platform browser and Android Chrome from version 25, they do not immediately return the control to the JavaScript code when the called application (Swish) is not installed on the device - instead they open a dialog and offer the user to go to the platform's market to download the required application (Swish). This means, that in this case the browser will either successfully open Swish or ask the user to go to the market to download and install Swish. 5.2 Switch to Swish app, and back The merchant apps, including mobile web browsers, will call the Swish app using the Custom URL Scheme "swish://paymentrequest". The merchant app has to send the Swish app the following: Payment request token The merchant receives the payment request token from the CPC. A callback URL This is a string that Swish will use as parameter to switch back to the merchant app after payment is finished. The goal of this parameter is to force the application to open a given GUI view - or for a browser, to open a specific URL. The callback URL should be passed in in URL-encoded format. Both parameters are required, so the correct URL to open Swish app is: swish://paymentrequest?token= &callbackurl= When Swish is finished, it (or BankID app) will call the provided callback URL. For the merchant app to react on this call, the merchant app needs to register for that URL scheme and provide code for handling the request. Code snippets describing switch to Swish as well as information about declaring URL scheme and handling calls to it are provided below for each platform. Note that the URL Sheme “merchant:\\” is used in the examples below. This is only an example – each merchant shall use its own unique scheme. 5.2.1 iOS The following code can be used to switch to Swish from the merchant app © Swish 16 // character set is used to encode callback URL properly NSCharacterSet *notAllowedCharactersSet = [NSCharacterSet characterSetWithCharactersInString:@"!*'();:@&=+$,/?%#[]"]; NSCharacterSet *allowedCharactersSet = [notAllowedCharactersSet invertedSet]; NSString *callbackURLStr = @"merchant://"; NSString *encodedCallbackURLStr = [callbackURLStr stringByAddingPercentEncodingWithAllowedCharacters:allowedCharactersSet]; NSString *swishURLStr = [NSString stringWithFormat:@"swish://paymentrequest?token=%@&callbackurl=%@", token, encodedCallbackURLStr]; NSURL *swishURL = [[NSURL alloc] initWithString: swishURLStr]; if ([[UIApplication sharedApplication] canOpenURL:swishURL]) { if ([[UIApplication sharedApplication] openURL:swishURL]) { // Success } else { // Error handling } } else { // Swish app is not installed // error handling } The enable the switch back from Swish, the merchant app needs to register a URL scheme. This is done by including a CFBundleURLTypes key in the app’s Info.plist. The merchant app must also implement the following function that will be called when the switch back happens. -(BOOL)application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation; 5.2.2 Android © Swish 17 The following code can be used to switch to Swish from the merchant app. public static boolean startSwish(Activity activity, String token, String callBackUrl, int requestCode) { If ( token == null || token.length() == 0 || callBackUrl == null || callBackUrl.length() == 0 || activity == null) { return false; } Uri scheme = Uri.parse("swish://paymentrequest?token="+token+"&callbackurl="+callBackUrl ); Intent intent = new Intent(Intent.ACTION_VIEW, scheme); intent.setPackage("se.bankgirot.swish"); boolean started=true; try { activity.startActivityForResult(intent, requestCode); } catch (Exception e){ started=false; } return started; } The app manifest file is used to register the URL scheme in the merchant app : The merchant app also needs to process then intent in onCreate and onNewIntent methods when switch back happens. 5.2.3 WinPhone The following code can be used to switch to Swish from the merchant app. // Create the URI string var uriToLaunch = string.Format("swish://paymentrequest?token={0}&callbackurl={1}", , Uri.EscapeDataString("merchant://")); // Create the URI to launch from a string. var uri = new Uri(uriToLaunch); // Launch the URI. bool success = await Windows.System.Launcher.LaunchUriAsync(uri); If the Swish app is not present on the device the operating system presents a dialogue asking to open Windows Phone store. Merchant app must inform the user. The merchant app registers an URL scheme in Visual Studio as: 1. 2. 3. 4. © Swish Open Package.appxmanifest Open the tab Declarations. Add a "Protocol". Under name enter ”merchant”. Enter a logo and a "Display name". 18 Merchant must also implement the following to be successfully re-launched by Swish App. In Visual Studio add the class AssociationUriMapper: /// /// The association uri mapper. /// internal class AssociationUriMapper : UriMapperBase { ////// When overridden in a derived class, converts a requested uniform resource identifier (URI) to a new URI. /// ////// A URI to use for the request instead of the value in the /// The original URI value to be mapped to a new URI. public override Uri MapUri(Uri uri) { var tempUri = System.Net.HttpUtility.UrlDecode(uri.ToString()); // URI association launch. if (tempUri.StartsWith("/Protocol")) { // Here we can redirect to the correct page, but for now we don't return new Uri("/MainPage.xaml", UriKind.Relative); } // Otherwise perform normal launch. return uri; } } In App.xaml.cs, add AssociationUriMapper as UriMapper by adding the following line to the method InitializePhoneApplication: // Assign the URI-mapper class to the application frame. RootFrame.UriMapper = new AssociationUriMapper(); 5.2.4 JavaScript calls and open Swish For the browser Safari you can use: swish://paymentrequest?token=value&callbackurl=back_scheme 5.2.5 For Chrome version >= 24 For the browser Chrome you can use this intent-based URI: obj.href="intent://view/#Intent;parameter. /// ; ; ; ; ; ;end" The basic syntax for an intent-based URI is as follows: intent: HOST/URI-path // Optional host #Intent; package=[string]; action=[string]; © Swish 19 category=[string]; component=[string]; scheme=[string]; end; To check which browser that is used, use the value of userAgent in JavaScript 6 Test Environment A Merchant Swish Simulator is available for merchants to test their integration with Swish API. The Merchant Swish Simulator will validate requests and return simulated but correctly formatted responses. The Merchant Swish Simulator will return a simulated result of the request in the callback URL. It is also possible to retrieve the payment request status, and to simulate different error situations. A user guide for the Merchant Swish Simulator, can be be found at https://www.getswish.se/handel. 7 Production Environment The Swish server IP address for IP filtering: 194.242.111.220:443 Swish API URL: https://swicpc.bankgirot.se/swish-cpcapi/api/v1/paymentrequests https://swicpc.bankgirot.se/swish-cpcapi/api/v1/refunds Swish server TLS certificate is issued under the following root CA that should to be configured as trusted: cn=Swish Root CA v1 ou=Swish Member Banks CA o=Getswish AB The complete certificate chain of the Swish server TLS certificate is available through Swish Certificate Management. 8 Guidelines for using the Swish API When integrating with Swish API the following guidelines will support stable performance of the system and a smooth consumer experience. 8.1 Consumer in control of payment requests © Swish 20 Each payment request transaction sent to the API must be initiated by a physical paying consumer. The merchant must make sure that the consumer does not receive what he/she perceives as “spam” or unwanted payment requests. 8.2 Use the call-back for payment requests and refunds When sending the payment request or refund a call-back is provided to the merchant of the status of the payment. This is the normal usage scenario, which should be used in most cases. As a backup there is also a “Retrieve” for Payment Requests and Refunds for reconciliation in the case that the normal call-back fails for some reason. Note that this is a backup – and not the standard flow for receiving payment status. 8.3 Refund transactions – avoid large batches The “create refund” message is intended for real-time one-by-one calls. It is not intended for batching up a large quantity and then sending the whole batch in a short period of time. There should be at least 1 second between each refund transaction and if more than 100 transactions are to be sent in a sequence they should be sent during night time. 8.4 Renewal of Client TLS Certificate The validity of the client TLS certificate is two years. It is the merchant's responsibility to generate new keys and certificate in due time, prior to the expiry of the old certificate, in order to ensure uninterrupted functionality of the commerce site. The merchant could authorise another company (a partner to the merchant) to manage the certificate renewal process. 8.5 Displaying the Swish alias to consumers When enrolling to Swish the merchant will receive a Swish alias (123 XXX YYYY) which uniquely identifies the enrolment and which is used as an alias to the payee’s bank account. We recommend e-commerce and m-commerce merchants not to expose this to consumers since it 1. Can be used for unprompted payments by entering the Swish alias in the Swish app. 2. Some banks may block unprompted payments to Swish aliases enrolled to “Swish Handel” The Swish alias for transactions generated by payment requests or refunds will not be displayed by the Swish app or the bank’s consumer interfaces. 9 Versioning the Web Service API 9.1 Versions Changes may be made to the API to correct errors or to introduce new functionality. When changed, a new version of the API will be made available via a new URL. Merchant should always use the latest version of the API. The general rule is that old versions of the API will be discontinued two years after the release of the successor. But if deemed necessary, for example for security reasons, a version of the API may be © Swish 21 discontinued prematurely. As new functionality is introduced to the system the behaviour of an existing version of the API may change, e.g. existing faults may also be used in new situations. 10 Support 10.1 Deployment support Please see the manuals and FAQ available at https://www.getswish.se/handel If you can’t find the technical information you need, you can contact the deployment support organisation. The contact details are also published at https://www.getswish.se/handel. For all commercial questions, please contact your bank. 10.2 Operating information Operating information is available at https://getswish.se/driftsinformation © Swish 22 11 Swish API Description 11.1 Payment Request Payment requests are created/retrieved with the operations listed below. There are two main flows to this use case, one for Swish m-commerce and one for Swish e-commerce. The main difference is that in the Swish e-commerce case the consumer is prompted for his/her mobile phone number, and then the consumer has to manually open the Swish app. But in the Swish m-commerce case the consumer’s mobile phone number is initially not known to the merchant. So instead, in this case, the API returns a Payment request token. This token is used to build a so called Swish URL, which the merchant can use to call the Swish app from their app. The Payment request token is then a parameter to the Swish URL. Once the paymentrequest reached to final state(either Paid , Timeout or Error), the Merchant provided Callback URL will be called by Swish. Even though this callback contains the payment status information, the merchant server should retrieve the result of the payment request directly from the Swish server (refer to Retrieve Payment Request for further details).These flows are illustrated in the pictures below. 11.1.1 Swish e-commerce © Swish 23 11.1.2 Swish m-commerce 11.1.3 Create Payment Request POST /api/v1/paymentrequests The Http request body have to contain a Payment Request Object. Potential Http status codes returned: 201 Created: Returned when Payment request was successfully created. Will return a Location header and if it is Swish m-commerce case, it will also return PaymentRequestToken header. 400 Bad Request: Returned when the Create Payment Request operation was malformed. 401 Unauthorized: Returned when there are authentication problems with the certificate. Or the Swish number in the certificate is not enrolled. Will return nothing else. 403 Forbidden: Returned when the payeeAlias in the payment request object is not the same as merchant’s Swish number. 415 Unsupported Media Type: Returned when Content-Type header is not "application/json". Will return nothing else. 422 Unprocessable Entity: Returned when there are validation errors. Will return an Array of Error Objects. © Swish 24 500 Internal Server Error: Returned if there was some unknown/unforeseen error that occurred on the server, this should normally not happen. Will return nothing else. Potential Error codes returned on Error Objects when validation fails (HTTP status code 422 is returned): FF08 - PaymentReference is invalid RP03 - Callback URL is missing or does not use Https BE18 - Payer alias is invalid RP01 - Missing Merchant Swish Number PA02 - Amount value is missing or not a valid number AM06 - Specified transaction amount is less than agreed minimum AM02 - Amount value is too large AM03 - Invalid or missing Currency RP02 - Wrong formated message RP06 - A payment request already exist for that payer. Only applicable for Swish ecommerce. ACMT03 - Payer not Enrolled ACMT01 - Counterpart is not activated ACMT07 - Payee not Enrolled Create Payment request example (Swish e-commerce): curl -v --request POST https://swicpc.bankgirot.se/swishcpcapi/api/v1/paymentrequests \ --header "Content-Type: application/json" \ --data @- <
Source Exif Data:File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 36 Language : sv-SE Tagged PDF : Yes Title : 1.0 Author : Maria Wannefalk Creator : Microsoft® Word 2010 Create Date : 2017:03:24 08:56:57+01:00 Modify Date : 2017:03:24 08:56:57+01:00 Producer : Microsoft® Word 2010EXIF Metadata provided by EXIF.tools