Archived

This repository existed for a specific collaboration with NHS BSA. The API described was only ever available to a limited audience. It is now superseded by the payment authorisation API.

Please see https://docs.payments.service.gov.uk/moto_payments/ for more details

Version history:

You can store records about phone payments in your GOV.UK Pay account using the API, if you want to report on both your:

• online payments processed by GOV.UK Pay
• phone payments processed by a third-party telephone payment provider

You can then track, refund and report on phone payments using the API or by signing in to the GOV.UK Pay admin tool.

You can only store records about phone payments if all of the following apply:

• you already process online payments using GOV.UK Pay
• you process telephone payments using a third-party provider
• your payment service provider (PSP) is Worldpay
• you can configure your Worldpay merchant account to direct all Worldpay notifications to GOV.UK Pay

You must also set up one GOV.UK Pay account for your online payments and another GOV.UK Pay account for your phone payments. You must not combine your services into one PSP account.

We cannot send email notifications to your users about phone payments.

If you operate a PCI-compliant call centre, you can also take agent-keyed payments over the phone (‘MOTO’ payments) where you fill in GOV.UK Pay payment pages with your users’ details.

Before you can store records about phone payments, you must configure your GOV.UK Pay live account to connect with the Worldpay account used by your third-party telephone payment provider.

Follow the guidance on connecting your live account to Worldpay.

You may need to configure the Capture delay (days) setting differently to make sure that Worldpay captures payments before you call the GOV.UK Pay API. Ask your third-party telephone payment provider if you’re not sure.

When you set up 'Merchant channels' in your Worldpay settings, you must send all notifications to GOV.UK Pay. If you do not, refunds will not work.

The call to notify us about a phone payment with the GOV.UK Pay API is:

POST /v1/payment_notification

You must only store a record about a phone payment on GOV.UK Pay after you've asked Worldpay to capture the money from your user's payment card.

Example request body:

{
  "amount": 14500,
  "reference": "MRPC12345",
  "description": "Pay your council tax",
  "created_date": "2019-02-21T16:04:25Z",
  "authorised_date": "2019-02-21T16:05:33Z",
  "processor_id": "12345",
  "provider_id": "45678",
  "auth_code": "91011",
  "payment_outcome": {
    "status": "success"
  },
  "card_type": "master-card",
  "name_on_card": "Mr Sherlock Holmes",
  "email_address": "[email protected]",
  "card_expiry": "02/19",
  "first_six_digits": "654321",
  "last_four_digits": "1234",
  "telephone_number": "+447700123456"
}

amount is the amount in pence. In the example, the payment is for £145.

The amount must be a number data type.

The minimum amount is one pence. The maximum amount is 10,000,000 pence (£100,000).

reference is the reference number you wish to associate with this payment. It must be a string.

The reference number does not need to be unique, and must not:

• be longer than 255 characters
• contain URLs

description is a human-readable description of the payment. This is shown to your staff in the GOV.UK Pay admin tool.

The description must be no longer than 255 characters, and must not contain URLs.

provider_id is the orderCode you received from Worldpay when you requested authorisation. It must be a string.

provider_id is used as an idempotency key for notification API calls. If a payment already exists with the provider_id you provided, the API will not store a record about a new payment, or update or change the record about a payment you previously stored.

payment_outcome is what you received from Worldpay after you asked them to authorise the payment.

The status, code and supplemental parameter values you include will depend on what happened.

If the status is failed, you can also include a supplemental object in payment_outcome. This object must include the error_code and error_message Worldpay sent to you.

For example:

  "payment_outcome": {
    "status": "failed",
    "code": "P0010",
    "supplemental": {
      "error_code": "E1234",
      "error_message": "The payment card does not exist."
    }
  },

error_code and error_message must be 50 characters or fewer.

card_type must be one of the following strings:

• master-card
• visa
• maestro
• diners-club
• american-express
• jcb

processor_id is the unique internal reference number you want to associate with this payment for your own reporting purposes. It must be a string.

auth_code is the AuthorisationId you received from Worldpay when it authorised the payment. It must be a string of 50 characters or less.

created_date is the time when you initiated the payment - for example when you received the phone call from your user. It must be:

• in ISO 8601-1 datetime format, including the time zone
• 50 characters or less

authorised_date is the time when Worldpay authorised the payment. It must be:

• in ISO 8601-1 datetime format, including the time zone
• 50 characters or less

name_on_card is your user's name on the front of their payment card.

email_address is your user's email address.

card_expiry is the expiry date of your user's payment card, in MM/YY format, for example 11/22. It must be a string.

first_six_digits is the first 6 digits of the 16-digit number on the front of your user's payment card. It must be a string.

last_four_digits is the last 4 digits of the 16-digit number on the front of your user's payment card. It must be a string.

telephone_number is your user's telephone number. It must be a string of 50 characters of less.

After you make the API call, the API will respond with an HTTP status code of:

• 200 if the payment was successfully added to your GOV.UK Pay account
• a 400 or 500 status code if the payment was not added

If the code is a 400 or 500, you must retry the API call. You can retry a maximum of once per hour, for up to 72 hours. Contact us if you're still receiving a 400 or 500 status code after 72 hours.

You can get information about a payment using the API or by signing in to the GOV.UK Pay admin tool.

Some of the fields will be returned in a metadata object in the API response.

Example API response:

{
    "amount": 12000,
    "description": "Apply for a passport",
    "reference": "MRPC12345",
    "payment_provider": "sandbox",
    "provider_id": "17498-8412u9-1273891239",
    "payment_id": "2neaugk4iggr8ts039pv75g24f1",
    "email": "[email protected]",
    "card_brand": "Mastercard",
    "created_date": "2020-04-21T13:55:36.705Z",    
    "metadata": {
        "status": "failed",
        "code": "P0010",
        "error_code": "E1234",
        "error_message": "The payment card does not exist",
        "telephone_number": "+44000000000",
        "processor_id": "183f2j8923j8",
        "created_date": "2018-02-21T16:04:25Z",
        "authorised_date": "2018-02-21T16:05:33Z",
        "auth_code": "666"
    },
    "state": {
        "status": "failed",
        "finished": true,
        "message": "Payment method rejected",
        "code": "P0010"
    },
    "card_details": {
        "last_digits_card_number": "1234",
        "first_digits_card_number": "654321",
        "cardholder_name": "Example name",
        "expiry_date": "02/19",
        "billing_address": null,
        "card_brand": "Mastercard",
        "card_type": null
    },
}

You can refund a payment.

MIT License

GOV.UK Pay aims to stay secure for everyone. If you are a security researcher and have discovered a security vulnerability in this code, we appreciate your help in disclosing it to us in a responsible manner. We will give appropriate credit to those reporting confirmed issues. Please e-mail [email protected] with details of any issue you find, we aim to reply quickly.