-
Card Storage
Card Storage
Card Storage General Concept
By using token retrieval services, merchants obtain a unique token by ensuring that the customer card information they send in the transaction is securely encrypted on Garanti Bank servers without creating a payment. During the service call, validation checks are performed for the card from which the token is obtained. If the card is eligible for authorization, the token information generated as a result of the transaction is returned to the merchant in the response message.
For token purchase transactions sent with bank cards other than Garanti Bank cards, a sale transaction of 0.11 TL is made by the system for each token purchase transaction for card validation. If the sale transaction is successful, a token value is generated for the card and the sale transaction of 0.11 TL is automatically canceled. This transaction is not displayed on the cardholder's e-statement.
Merchants should store the token information returned in the service response by associating it with customer data (e.g. registration number, customer number, etc.) for later use in payment transactions.
The token information generated on Garanti Bank servers instead of the card information or customer information sent in the transaction is stored in a form associated with the merchant. The management and use of tokens belongs to the merchant.
Test Environment
The TEST BASE URL to be used for testing Card Storage and Switch services is as follows:
TEST BASE URL: https://gbtaksimtunel-integration.garanti.com.tr/
Note: This TEST BASE URL represents the virtual environment offered by Garanti Bank and is intended to be used for testing purposes instead of real transactions. Transactions in this environment do not have real financial implications as in a live environment and only work through test scenarios.
The test environment allows to test the performance and reliability of the application by simulating different scenarios and error conditions. It can also be used to verify that API requests and responses are processed correctly.
During testing, it is important to understand how to react to potential error situations, how to handle errors and how to ensure that the system is working correctly. Testing is also important for security and compliance, and a successful testing phase must be achieved before going live.
It should be noted that errors in the test environment may be temporary. The development team should prefer to contact ETicaretDestek@garantibbva.com.tr support units in case possible errors recur frequently. In this way, problems will be solved more quickly and effectively, ensuring that the testing process proceeds efficiently. Successful testing contributes greatly to the safe and smooth transition of the application and systems to the live environment.
The following information can be used to send in API requests in the test environment. These values will be used in all request types:
| Title | Value |
|---|---|
| Switch ID: | CC82C381E078482AB328943FCCB7100C |
| Switch Şifresi: | 123asdASD@ |
This is the authentication information that will be used to test the Card Storage and Switch APIs. Care must be taken to use these credentials correctly in order to perform the tests successfully and get accurate results. Making sure that API requests are made with these credentials is important for the reliability and success of the tests.
Production Environment (Obtaining Merchant Credentials)
In order to send requests with real data in the production environment of the merchant, after the integration is completed in the test environment, the merchant must obtain the Switch ID value by sending the Garanti Sanalpos terminal number to ETicaretDestek@garantibbva.com.tr.
Based on the obtained Switch ID value, the hash data created for security purposes in API requests must be calculated. This hash data must also include the Switch Password of the merchant. Details about the hash calculation will be explained in the following sections.
The Switch Password of the member workplace must be created under the Password Update menu on the management screens of the member workplace. This process is performed by the member workplace admin user.
Detailed information about creating a Switch Password can be found under the "Password Update" heading. In this way, merchants can securely make API requests with real data and successfully complete the GarantiBBVA Switch integration.
API Request and Response Header Information
In all JSON API requests to the card storage and Switch system, the Request Header field must be sent completely. With these fields, the fields in the related transaction are checked and it is checked whether the data sent is valid or not. The response header field will be returned in the JSON API response information of all of the aforementioned requests. Content-Type of all JSON API requests must be application/json type. Again, the encoding of all JSON API requests must be in UTF-8 format.
Request Header tag and the parameters to be sent under it are as follows:
| Field | Type | Requirement | Length | Description |
|---|---|---|---|---|
| requestId | String | Yes | Max 36 Character | The unique ID value generated for each transaction. |
| swtId | String | Yes | Max 36 Character | This is the field where the switch ID value defined on behalf of the workplace or company performing the operation is sent. In tests, the swtId transmitted in the upper segment can be used. For the Prod environment, the swtId defined for the workplace should be used. |
| timestamp | String | Yes | - | Transaction time is sent in this field. |
| userId | String | Yes | Max 36 Character | This is the field where the ID value of the user who performed the transaction is sent. Any data can be sent, but it is recommended to be a workplace specific value. The purpose of this data is to distinguish which person or system is handling the request. |
| hashedData | String | Yes | - | By the workplace JSON API Request Hash Calculation Example The value generated by calculating the hash according to the criteria given under the heading is sent in this field. |
The Response Header tag and the parameters to be returned under it are as follows:
| Field | Type | Description |
|---|---|---|
| requestId | String | It is the unique ID value generated for each transaction. It will hold the same value as the field sent in the request header. |
| swtId | String | This is the field where the switch ID value defined on behalf of the workplace or company performing the transaction is sent. It will hold the same value as the field sent in the request header. |
| timestamp | Timestamp | The transaction time is sent in this field. The value here is the timestamp of the transaction in the Card Storage and Switch system. |
| userId | String | This is the field where the ID of the user who performed the transaction is sent. It will hold the same value as the field sent in the request header. |
| hashedData | String | JSON API Response Hash Calculation ExampleA hash is calculated according to the criteria given under the heading and the generated value is sent in this field. |
In all JSON API responses, in addition to the header field, a Map called errorMap is returned outside the header field, which indicates whether the fields sent in the request contain data errors.
| Field | Type | Description |
|---|---|---|
| errorMap | Map<String, String> | It tells whether the fields sent in the request contain a data error. |
Hash Calculation for Service Calls
The following describes the header tag and fields of a sample request message to be sent to the Warranty Switch APIs:
\"header\": {\n \"requestId\": \"unique_request_id\",\n \"swtId\": \"CC82C381E078482AB328943FCCB7100C\",\n \"userId\": \"your_user_id\",\n \"timestamp\": \"15032021151020\",\n \"hashedData\": \"Buraya hesaplanan hash değeri gelmelidir\"\n}
HashedData Calculation:
The "HashedData" field is used to verify the integrity of the API request for security purposes. The following steps are followed to calculate this field:
- Concatenate: Öncelikle, "requestId", "swtId", "userId" ve "timestamp" ve "swtPassword" değerleri birleştirilir.
- Hashing: Daha sonra, bu birleştirilmiş değer, SHA256 algoritması kullanılarak bir hash değerine dönüştürülür.
- Uppercase: Son olarak, elde edilen hash değeri büyük harfe çevrilir.
Sample Data and Calculation
requestId = \"unique_request_id\"\nswtId = \"CC82C381E078482AB328943FCCB7100C\"\nuserId = \"your_user_id\"\ntimestamp = \"15032021151020\"\nswtPassword = \"123asdASD@\"\n\nConcatenatedValue = \"unique_request_idCC82C381E078482AB328943FCCB7100Cyour_user_id15032021151020123asdASD@\"\nHashedData = UPPERCASE(SHA256(ConcatenatedValue))\nHashedData = \"1188B66CDFDDBAAD848CDFCC0749E1B41BC0AD8BD7F9D6004E45517400095933\"\n
Calculated Final Header Data Example
\"header\": {\n \"requestId\": \"unique_request_id\",\n \"swtId\": \"CC82C381E078482AB328943FCCB7100C\",\n \"userId\": \"your_user_id\",\n \"timestamp\": \"15032021151020\",\n \"hashedData\": \"1188B66CDFDDBAAD848CDFCC0749E1B41BC0AD8BD7F9D6004E45517400095933\"\n}
Hash Calculation for Service Responses
The sample response header information and the hash calculation method for this information to verify the hashedData parameter in the response returned in the transaction results are as follows:
Sample Response Header
\"header\": {\n \"requestId\": \"ba0e96080c7b4216847ef71197d4ad06\",\n \"swtId\": \"CC82C381E078482AB328943FCCB7100C\",\n \"returnCode\": \"00\",\n \"reasonCode\": \"00\",\n \"message\": \"Başarılı\",\n \"timestamp\": 1615734734018,\n \"hashedData\": \"937D994CF3CB41912FE90595FD431197DB809B9C968B4C9F652B637434BCAAA5\"\n}
HashedData Calculation:
The "timestamp" field in the Response is returned as Unix Timestamp, but this value must be used in String format for hash calculation. Therefore, the Unix Timestamp value must be converted to String format.
The following steps are followed for HashedData calculation:
- Concatenate: "requestId", "swtId", "returnCode", "reasonCode", "message" ve "timestamp.getTime()" değerleri birleştirilir. "timestamp.getTime()" ile Unix Timestamp değeri String formatına dönüştürülür.
- Hashing: Birleştirilmiş bu değer, SHA256 algoritması kullanılarak bir hash değerine dönüştürülür.
- Uppercase: Son olarak, elde edilen hash değeri büyük harfe çevrilir.
Example HashedData Calculation:
requestId = \"ba0e96080c7b4216847ef71197d4ad06\"\nswtId = \"CC82C381E078482AB328943FCCB7100C\"\nreturnCode = \"00\"\nreasonCode = \"00\"\nmessage = \"Başarılı\"\ntimestamp = 1615734734018 (Unix Timestamp değeri)\nSwitch Password = \"123asdASD@\"\n\nHashedData hesaplaması için bu değerler kullanılırsa:\n\nConcatenatedValue = \"ba0e96080c7b4216847ef71197d4ad06CC82C381E078482AB328943FCCB7100C0000Başarılı1615734734018123asdASD@\"\nHashedData = UPPERCASE(SHA256(ConcatenatedValue))\nHashedData = \"937D994CF3CB41912FE90595FD431197DB809B9C968B4C9F652B637434BCAAA5\"\n
The hashedData value is the same as the value specified in the sample response header. In this way, the correctness of the hashedData value in API responses can be verified and data integrity is ensured.
Token Retrieval via Card Login Screen
If card information cannot be transmitted during the token retrieval request, a token retrieval request can be made with the card login screen. The redirectUrl information must be sent in the service request and accordingly, a URL will be sent to open the card login page in the directUrl field on the service return. By opening this URL in the browser, the card information screen will be accessed. Here, the token retrieval request can be made by filling in the required fields. API request path is the same as token generate.
PROD Environment:\nhttps://kartsaklamabackend.garanti.com.tr/api/token/generate\n\nTEST Environment:\nhttps://gbtaksimtunel-integration.garanti.com.tr/api/token/generate\n
Parameters to be sent to Service
The parameters that must be sent in addition to the Request Header field in the token receiving service with the Switch Payment Page are as follows:
| Field | Type | Requirement | Length | Description |
|---|---|---|---|---|
| additionalData | String | Hayır | Max120 Character | It is used to send information such as policy number etc. to be associated with the token or to manage scenarios where different customers store the same card. If no value is sent in this field, the same token value is generated for the same card. If the token information received for the card needs to be differentiated for the policy number or a similar value, this differentiation can be provided with the additionalData field. |
| redirectUrl | String | Yes | - | This is the url information that should be sent to be used in token retrieval transactions via Switch Payment Page. The token information will be posted as a form to this url via the payment page. |
Parameters Returned from Service
The parameters returned from the Switch Payment Page and token receiving service in addition to the response header field are as follows:
| Field | Type | Description |
|---|---|---|
| directUrl | String | When you want to get token with Switch Payment Page, the url to be entered in the browser will be returned in this field. |
The parameters that will be returned as a result of the form to be executed with directUrl are as follows:
| Field | Type | Description |
|---|---|---|
| token | String | The token ID value generated as a result of the transaction. This value should be stored by the merchant in relation to the customer to be sent in payment transactions. |
| requestId | String | It is the unique ID value generated for each transaction. It will hold the same value as the field sent in the request header. |
| swtId | String | This is the field where the switch ID value defined on behalf of the workplace or company performing the transaction is sent. It will hold the same value as the field sent in the request header. |
| success | Boolean | Indicates whether the operation was successful. |
| message | String | Transaction result message. |
| maskedCardNum | String | The token is a masked version of the card to be generated. |
| hashedData | String | The hash data generated according to the instructions described in Response Hash Calculation with Switch Payment Page will be returned in this field. |
Sample Request Message
The sample request and response to receive tokens with the Switch payment page is as follows:
{\n \"header\": {\n \"requestId\": \"ea284207981d4f7c90851dc0d801f17c\",\n \"swtId\": \"CC82C381E078482AB328943FCCB7100C\",\n \"userId\": \"your_user_id\",\n \"hashedData\": \"93D4DF3FAA954B817EDFF4E383E6D35DB3C7B345B4263D8C5D14A47FE1EBBEE 6\",\n \"timestamp\": \"2021-03-22T13:42:41.304Z\"\n },\n \"additionalData\": \"a8a289eea0114533a49b86431c31b8af\",\n \"redirectUrl\": \"https://eticaret.garanti.com.tr/destek/postback.aspx\"\n}
Sample Reply Message
{\n \"header\": {\n \"requestId\": \"ea284207981d4f7c90851dc0d801f17c\",\n \"swtId\": \"CC82C381E078482AB328943FCCB7100C\",\n \"returnCode\": \"00\",\n \"reasonCode\": \"00\",\n \"message\": \"Başarılı\",\n \"timestamp\": 1616420561722,\n \"hashedData\": \"628BC8E3A7A2165D09FC3A6FF1CAFB6E55F454B73A7E91C48A17B0E54A0CBE8 4\"\n },\n \"directUrl\": \"https://gbtaksimtunel- integration.garanti.com.tr/ui/card/store?h=e39decb2703b99683ec6ec8da24a1430f7c 1eff32f2e5ab27ec450827ad45a8f\"\n}
Token Retrieval Response Hash Calculation with Card Login Screen
The value in the hashedData parameter returned in the transaction result form must be verified. The hash is calculated according to some fields in the form response. The fields included in the calculation in the form response are indicated in bold font. These fields are included in the calculation as String. The specified fields are concatenated and the concatenated String is hashed with SHA256 algorithm and converted to uppercase letters. In the Switch Password section, the password in the above segment should be used for test and the password defined by the workplace should be used for prod.
Sample Response Form and its hash calculation:\n\nToken : 99024FBE3B194F7F850D9D59DADDC657\nRequestId : ea284207981d4f7c90851dc0d801f17c \nSuccess : true\nMessage : Success\nMaskedCardNum : 554960******1019\n\nhashedData = UPPERCASE(SHA256(token & requestId & success & Switch Password))\nhashedData: UPPERCASE(SHA256(99024FBE3B194F7F850D9D59DADDC657ea284207981d4f7c9085\n1dc0d801f17ctrue123asdASD@))\n\nhashedData: \"D7F2BA7B72DEAD12BD4A832154B7676B350D1E137FBD7099C53A69E815A6A8E0\"\n
Card Login Screen and Token Retrieval
The card login screen can be accessed by the merchant by following the steps below and the token purchase process can be realized by entering the card information. The value generated by Direct URL is single-use and has a 5 minute usage period. If one of these two conditions is met, it is necessary to restart the flow.
The URL returned in the directUrl parameter in the reply message is opened in the browser.
Example: https://gbtaksimtunel- integration.garanti.com.tr/ui/card/store? h=e39decb2703b99683ec6ec8da24a1430f7c1eff32f2 e5ab27ec450827ad45a8f
On the card information entry screen, there are fields to enter Card Number and SKT information.
At the end of the transaction, the token information will be returned to the workplace as a form.
Code Examples
Below are links to custom code examples written in various programming languages. You can examine the codes written with predetermined values in detail through the link of your preferred programming language.
These examples contain code for the relevant operation type and are written in different languages, so you can observe various approaches and practices. In this way, you can find the opportunity to work with more understandable and authentic examples of your preferred programming language.
Click for C# Code Examples.
Click for VB.Net Code Examples.
Click here for Java Code Examples.
Click here for PHP Code Examples.
Please note that these examples are written with predefined values and may require adaptation and security measures for use in real projects.
Test Cards
You can find the list of test cards on this page.
