• Multi Bank Virtual POS

3D Pre Authorization General Concepts

It ensures that the balance on the card is blocked for the amount specified for the 3d payment to be realized via Tami. The transaction is first initiated from the 3d verification step. After successful 3d verification, a real pre-authorization process is performed in the 3d completion step.

In the pre-authorization process, the amount is blocked from the card. With the pre-authorization closing process, the payment is taken from the card.

Test/Prod Envirenement API User Information

For Virtual POS transactions, merchants can use the merchant information given in the table below for the controls they want to perform in the test environment.

For Virtual POS transactions to be realized from the prod environment via Tami, the merchant number is obtained by making an application.

You can access the Sandbox test portal at https://sandbox-portal.tami.com.tr. When you log in to the test portal with the users provided below, the transactions made by the workplace connected to this user can be viewed. Transactions can be canceled/refunded.

User Phone Number User Password Sms / Email Otp Workplace Number Terminal Number Secret Key
5346484700 147854 147852 77006950 84006953 0edad05a-7ea7-40f1-a80c-d600121ca51b
5346484709 147850 147852 77006951 84006954 c8581bb6-a4b2-4925-8c94-529fc651399e
5346484803 147850 147852 77006952 84006955 ff7d4895-0c32-4f48-86ab-fb9ecca9f3d7
5346484807 147850 147852 77006953 84006956 33124ff0-0b19-4cf9-b002-13a35eae865b
5346484800 147850 147852 77006954 84006957 7daf9631-e136-4164-9ddb-dd1c02df851d
5346484808 147850 147852 77006956 84006959 fe6f3fff-0434-4932-a27d-bb3dac9de49d

Hash Calculation

The request sent for many transaction types should include the PG-Auth-Token in the header information. The PG-Auth-Token consists of the values "MerchantNumber:TerminalNumber:Hash".

When calculating the hash here, the merchantNumber, terminalNumber, and secretKey information belonging to the merchant are hashed with sha256 and converted to a string.

public class SHA256Example {\n public static String sha256(Long merchantNumber, Long terminalNumber, String secretKey) {\n String text = merchantNumber.toString() + terminalNumber.toString() + secretKey;\n try {\n MessageDigest digest = MessageDigest.getInstance(\"SHA-256\");\n byte[] hash = digest.digest(text.getBytes(StandardCharsets.UTF_8));\n String sha256Hex = DatatypeConverter.printBase64Binary(hash);\n return sha256Hex;\n } catch (NoSuchAlgorithmException e) {\n e.printStackTrace();\n return null;\n }\n }\n}

TAMİ Test Portal Information

You can access the Tami test portal at https://sandbox-portal.tami.com.tr. From this address, you can view the portal screen with the users specified above. 

For your production environment information you can become a member at https://portal.tami.com.tr or You can apply to the e-commerce support unit.

3D Pre Authorization API Informations

In test environment, the "https://sandbox-paymentapi.tami.com.tr/payment/pre-auth" URL will be used.

In production environment, the "https://paymentapi.tami.com.tr/payment/pre-auth" URL will be used.

Request Parameters and Descriptions

The request structure required for Virtual POS Cash/Installment Sales transactions without 3D is indicated in the table below. The information and explanations in the request message should be examined, and the request message should be provided according to the rules specified in this table:

Field Format Maximum Size (O)ptional/(C)onditional/(M)andatory  Description
orderId String (2-36) M The payment request is a singular communication information used in the interaction between Tami-customer. For the merchant and POS pair, this value must be singular.
amount Decimal M The amount is the transaction. The fractional separator must be a period (.).
currency String 3 M Specifies the currency code of the transaction. Example: TRY should be sent for TL.
installmentCount Number M This is the installment information of the desired transaction. For cash transactions, 1 must be sent. Sending 0 is not accepted.
paymentGroup String M Payment group, default PRODUCT should be forwarded
paymentChannel enum  O Payment channel. Valid values are provided in the enum: WEB, MOBILE, MOBILE_WEB, MOBILE_IOS, MOBILE_ANDROID, MOBILE_WINDOWS, MOBILE_TABLET, MOBILE_PHONE
callbackUrl String C If a transaction is desired to be carried out in 3D, it must be sent. The address to which the 3D verification result will be returned is the address associated with the merchant.
card Object M  
cvv String M The security code of the card from which the payment will be taken.
expireMonth Number (1-12) M Expiration date and month of the card from which the payment will be taken.
expireYear Number 4 M The expiration date and year of the card from which the payment will be taken.
holderName String 30 M Name and surname of the cardholder from whom the payment will be received.
number String (5-35) M The card number from which the payment will be received.
billingAddress Object O  
address String 400 O Billing address information on the merchant side.
emailAddress String O E-mail information of the merchant
city String 30 O Billing address city information on the merchant side.
companyName String 100 O Trade name information of the merchant.
country String 50 O Country of the billing address on the merchant side.
contactName String 30 O Billing address, name and surname information on the merchant side.
phone String O GSM number of the buyer on the merchant side.
zipCode String 15 O Postal code of the billing address on the merchant side.
district String 50 O Neighborhood information of the billing address on the merchant side.
shippingAddress Object O  
address String 400 O Delivery address information on the merchant side.
emailAddress String O E-mail information of the merchant
city String 30 O Delivery address city information on the merchant side.
country String 50 O Delivery address country information on the merchant side.
contactName String 30 O Delivery address, name and surname information on the merchant side.
zipCode String 15 O Postal code information of the delivery address on the merchant side.
district String 50 O Delivery address neighborhood information on the merchant side.
buyer Object M Contains information about the buyer on the merchant side
ipAddress String M It is the IP address of the buyer on the merchant side. The real IP address of the recipient must be transmitted.
buyerId String 50 M The buyer's id on the merchant side.
name String 30 M Name of the buyer on the merchant side.
surName String 30 M Last name of the buyer on the merchant side. Buyer object is an optional field, but if any field from the buyer object is sent, surname is required.
identityNumber String 11 O Identification number of the buyer on the merchant side.
city String 50 O City information of the recipient on the merchant side.
country String 50 O Country information of the buyer on the merchant side.
emailAddress String M The e-mail information of the recipient on the merchant side. The e-mail address must be a valid and accessible address of the recipient.
phoneNumber String M The GSM number of the buyer on the merchant side.
registrationAddress String 400 O Recipient's registration address on the merchant side.
zipCode String 15 O Postal code of the recipient on the merchant side.
registrationDate Date O Recording date of the buyer on the merchant side. The date format should be 2015-09-17 23:45:06.
lastLoginDate Date O Last receipt date for the merchant-side buyer. The date format should be 2015-09-17 23:45:06.
basket O  
basketId String 50 C The id of the basket on the merchant side. If an item is sent in the basket, it is mandatory to send basketId.
basket/basketItems List 0  
itemId String 50 C The id of the product in the basket on the merchant side. If the item is transmitted in the basket, it is mandatory to send itemId.
itemType String 50 C The type of the product in the cart at the merchant. Valid enum values: PHYSICAL and VIRTUAL. If an item is sent in the basket, the itemType must be sent.
name String 50 C The name of the product in the basket on the merchant side. If the item is sent in the basket, it is mandatory to send the name.
category String 50 O The category of the product in the cart on the merchant side.
subCategory String 100 O Subcategory of the product in the cart on the merchant side.
unitPrice Decimal min 0.0 O The single amount of the product in the basket on the merchant side.
totalPrice Decimal min 0.0 C The total amount of the product in the basket on the merchant side. It cannot be 0 and less than 0, the sum of the amounts must be equal to the basket amount. If an item is sent in the basket, totalPrice must be sent. Unitprice * numberOfProducts = totalPrice
numberOfProducts Number 1-99999 O The number of products in the basket on the merchant side.
securityHash String M It is the value expected to be calculated and transmitted according in the document. If it is missing or incorrect, the transaction is not routed to the bank, an error is given.

3D Pre Authorization API Request Example

{\n \"amount\": 15,\n \"orderId\": \"order\",\n \"currency\": \"TRY\",\n \"installmentCount\": 1,\n \"card\": {\n \"holderName\": \"Kemal Sunal\",\n \"cvv\": \"\",\n \"expireMonth\": 4,\n \"expireYear\": 2026,\n \"number\": \"4824910501747014\"\n },\n \"billingAddress\": {\n \"emailAddress\": \"email@email.com\",\n \"address\": \"Nisbetiye Barbaros Bulvarı Boulevard, No:96, 34340 Beşiktaş/İstanbul\",\n \"city\": \"İstanbul\",\n \"companyName\": \"SirketAdı\",\n \"country\": \"Türkiye\",\n \"district\": \"Bebek Mah.\",\n \"contactName\": \"İsim Soyisim\",\n \"phoneNumber\": \"05364604016\",\n \"zipCode\": \"343400\"\n },\n \"shippingAddress\": {\n \"emailAddress\": \"email@email.com\",\n \"address\": \"Nisbetiye Barbaros Bulvarı Boulevard, No:96, 34340 Beşiktaş/İstanbul\",\n \"city\": \"İstanbul\",\n \"companyName\": \"SirketAdı\",\n \"country\": \"Türkiye\",\n \"district\": \"Levent\",\n \"contactName\": \"İsim Soyisim\",\n \"phoneNumber\": \"05346484777\",\n \"zipCode\": \"3434221\"\n },\n \"buyer\": {\n \"ipAddress\": \"192.168.1.70\",\n \"buyerId\": \"678654\",\n \"name\": \"Adı\",\n \"surName\": \"Soyadı\",\n \"identityNumber\": 28629160374,\n \"city\": \"İstanbul\",\n \"country\": \"Türkiye\",\n \"zipCode\": \"348222\",\n \"emailAddress\": \"email@email.com\",\n \"phoneNumber\": \"05364609963\",\n \"registrationAddress\": \"Ortaköy Mah. Ulus Sok. Beşiktaş\",\n \"lastLoginDate\": \"2022-11-05T13:39:11.332\",\n \"registrationDate\": \"2022-10-11T12:59:11.332\"\n },\n \"basket\": {\n \"basketId\": \"6489494\",\n \"basketItems\": [\n {\n \"itemId\": \"7448\",\n \"name\": \"basketname1\",\n \"itemType\": \"PHYSICAL\",\n \"numberOfProducts\": 1,\n \"totalPrice\": 15,\n \"unitPrice\": 15\n }\n ]\n },\n \"paymentGroup\": \"PRODUCT\",\n \"callbackUrl\": \"https://gbtunelemulator-d.fw.garantibbva.com.tr/secure3d\", \n \"securityHash\": \"647494994F8494H94894849K849==\"\n}

3D Pre Authorization API Response Example

{\n \"success\": true,\n \"systemTime\": \"2024-03-20T09:47:35.290917608\",\n \"correlationId\": \"correlation4584\",\n \"orderId\": \"order\",\n \"securityHash\": \"68493Gedy8F9302HH94040==\",\n \"amount\": 15,\n \"currency\": \"TRY\",\n \"installmentCount\": 1,\n \"card\": {\n \"binNumber\": \"48249105\",\n \"maskedNumber\": \"4824-9105-xxxx-xx14\",\n \"cardBrand\": \"Garanti\",\n \"cardOrganization\": \"VISA\",\n \"cardType\": \"CREDIT\"\n }\n}

3D Pre Authorization API Response Parameters and Descriptions

Parametre Adı Format Açıklama
 success String If true, the sale is successful, if false, an error was received. error details are shared in error code and error message fields
systemTime DateTime Transaction date
correlationId String Transaction number
orderId String Order number
amount Number Transaction amount
currency String Transaction currency
card/binNumber String First 8 digits of the card
card/maskedNumber String Masked card trick
card/cardBrand String Card brand
card/cardOrganization String Card organization
card/cardType String Card type
threeDSHtmlContent Integer 3d doğrulama sayfasına yönlendirecek html content bilgisidir. Content içeriği base 64'te decode edilerek Html elde edilir.
errorCode String Error code
errorMessage String Error message
securityHash String The value to be used to determine that the result of the operation comes from the correct source. The documentation describes how to calculate it.
Merchant ID
Terminal ID
Secret Key
{\n \"orderId\": \"\",\n \"amount\": 415,\n \"callbackUrl\": \"https://localhost:7229/ThreeDResponse\",\n \"currency\": \"TRY\",\n \"installmentCount\": 1,\n \"motoInd\": false,\n \"paymentGroup\": \"PRODUCT\",\n \"paymentChannel\": \"WEB\",\n \"card\": {\n \"holderName\": \"Mesut Sarıtaş\",\n \"cvv\": \"\",\n \"expireMonth\": 4,\n \"expireYear\": 2026,\n \"number\": \"4824910501747014\"\n },\n \"billingAddress\": {\n \"address\": \"Deneme adresi\",\n \"city\": \"İstanbul\",\n \"companyName\": \"Deneme firması\",\n \"country\": \"Türkiye\",\n \"district\": \"Maltepe\",\n \"contactName\": \"Oğuzhan Okur\",\n \"phoneNumber\": \"07505555555\",\n \"zipCode\": \"34846\"\n },\n \"shippingAddress\": {\n \"address\": \"Deneme adresi\",\n \"city\": \"İstanbul\",\n \"companyName\": \"Deneme firması\",\n \"country\": \"Türkiye\",\n \"district\": \"Maltepe\",\n \"contactName\": \"Oğuzhan Okur\",\n \"phoneNumber\": \"07505555555\",\n \"zipCode\": \"34846\"\n },\n \"buyer\": {\n \"ipAddress\": \"127.0.0.1\",\n \"buyerId\": \"3d427624eb634f96805adf533f4cddcd\",\n \"name\": \"Oğuzhan\",\n \"surName\": \"Okur\",\n \"identityNumber\": 11111111111,\n \"city\": \"İstanbul\",\n \"country\": \"Türkiye\",\n \"zipCode\": \"34846\",\n \"emailAddress\": \"destek@garantibbva.com.tr\",\n \"phoneNumber\": \"07325555555\",\n \"registrationAddress\": \"Maltepe\",\n \"lastLoginDate\": \"2024-11-06T17:36:56.007\",\n \"registrationDate\": \"2024-10-27T17:36:56.007\"\n },\n \"basket\": {\n \"basketId\": \"b76ecf69f89c46bd938326604defbf60\",\n \"basketItems\": [\n {\n \"itemId\": \"4388002\",\n \"name\": \"Lego\",\n \"itemType\": \"PHYSICAL\",\n \"category\": \"Oyuncak\",\n \"subCategory\": \"Çocuk Oyunu\",\n \"numberOfProducts\": 10,\n \"totalPrice\": 30,\n \"unitPrice\": 3\n },\n {\n \"itemId\": \"5647389393\",\n \"name\": \"Piyano\",\n \"itemType\": \"PHYSICAL\",\n \"category\": \"Oyuncak\",\n \"subCategory\": \"Alt Oyuncak\",\n \"numberOfProducts\": 5,\n \"totalPrice\": 385,\n \"unitPrice\": 77\n }\n ]\n }\n}

Hata Oluştu

Başarılı

3D Verification

The bank's 3d verification screen will be displayed with the HTML data obtained as a result of 3D Pre-Authorization initiation. After the cardholder enters the password received on their mobile phone, they will be automatically redirected to the address you specified in the callbackUrl parameter. Tami will post the following values to this address.

When the 3D verification result is successful, the card has not yet been charged. When the succes field returned in the response is true, you can proceed to the next 3D sales transaction completion step to convert the transaction to payment. If the 3D sales transaction is not completed, the card will not be charged.

3D Verification Response Parameters and Descriptions

Field Format Description
cardBrand String Card brand
cardOrganization String Card organization
cardType String Card type
currencyCode String Transaction Currency
hashedData String Value to be used to check the accuracy of the information returned in the answer
installmentCount Number Number of Transaction Installments
maskedNumber Number Card number as masked
mdStatus String It is the mdStatus value returned for informational purposes. It can return 1 for successful cases and 0, 2, 3, 4, 4, 5, 5, 6, 7, 8 for unsuccessful cases.
orderId String Order number
success String Reports the result of the 3d verification process. Returns true if the operation is successful, false if the operation is failed
systemTime DateTime Transaction date
txnAmount Number Transaction amount

In case the Success field returned in the 3D Validation response is false, the table below will help with the cause of the error.

mdStatus Description
mdStatus =0 3D Secure signature or verification invalid 
mdStatus =2 Cardholder or bank not registered in the system
mdStatus =3 The bank of the card is not registered in the system
mdStatus =4 Verification attempt, cardholder chose to register later in the system
mdStatus =5 Unable to verify
mdStatus =6 3D Secure error
mdStatus =7 System error
mdStatus =8 Unknown card no

HashedData Calculation

To verify that the information returned in the 3D Verification response is from the correct source, you can calculate hashedData according to the fields below and compare it with this information in the response. SecretKey is different for each pos belonging to the merchant.

When calculating HashedData, a data is created by bringing all the following parameters side by side in the given order. The secretKey of the merchant is hashed with HMAC sha256 and secretKeySpec is obtained. Two data are sorted in the format specified in the generator below. Base 64 is encrypted and encrypted hashedData is obtained.

NOTE: In advance transactions, "InstallmentCount" is expected to be sent as 1. This information is added to the hashedData.

Parameters used in HashedData calculation;

cardOrg+cardBrand+cardType+maskedNumber+installmentCount+currency+originalAmount+orderID+systemTime+status (success field)

The generator to be used in HashedData calculation is given below;

public static String responseHashGenerate(String systemTime, String status, String maskedNumber, Order order,\n String secretKey) {\n\n String data = order.getCardOrg() + order.getCardBrand() + order.getCardType() +\n maskedNumber + order.getInstallmentCount() + order.getCurrency() +\n order.getOriginalAmount() + order.getOrderId() + systemTime + status;\n String result = \"\";\n try {\n Mac sha256_HMAC = Mac.getInstance(\"HmacSHA256\");\n SecretKeySpec secret_key = new SecretKeySpec(secretKey.getBytes(\"UTF-8\"), \"HmacSHA256\");\n sha256_HMAC.init(secret_key);\n\n result = Base64.encodeBase64String(sha256_HMAC.doFinal(data.getBytes(\"UTF-8\")));\n\n } catch (Exception e) {\n log.error(\"Hash can not be generated \", e);\n }\n return result;\n}

About 3D Pre Authorization Sales Transaction Completion

It is used for Tami merchants to complete transactions that have been successfully 3d verified. By calling this service, the card is not charged for transactions that are not completed in 3d.

3D Pre Authorization Transaction Completion API Information

In test environment, the "https://sandbox-paymentapi.tami.com.tr/payment/complete-3ds" URL will be used.

In production environment, the "https://paymentapi.tami.com.tr/payment/complete-3ds" URL will be used.

3D Pre Authorization Completion Request Parameters and Descriptions

Field Format Max Size (O)psional / (M)andatory Description
orderId String (2-36) M Order number information with successful completion of 3d verification
securityHash String M  It is the value expected to be calculated and transmitted according to the fields specified in the document. If it is missing or incorrect, the transaction is not routed to the bank, an error is given.    

3D Pre Authorization Completion API Request Example

{ \n \"orderId\": \"3dorder\",\n \"securityHash\": \"6488jjnd0993l9399==\"\n}

3D Pre Authorization Completion API Response Example

\n\n{\n \"success\": true,\n \"systemTime\": \"2023-08-10T11:40:02.299\",\n \"correlationId\": \"TEST9962\",\n \"orderId\": \"9a6gsaas4asd9bb7ab46782\",\n \"amount\": 415,\n \"currency\": \"TRY\",\n \"securityHash\": \"7484hdgdgbdn8839393==\",\n \"installmentCount\": 1,\n \"card\": {\n \"binNumber\": \"48249105\",\n \"maskedNumber\": \"4824-9105-xxxx-xx14\",\n \"cardBrand\": \"Garanti\",\n \"cardOrganization\": \"VISA\",\n \"cardType\": \"CREDIT\"\n }\n}

3D Pre Authorization Completion Response Parameters and Descriptions

Field Format Description
 errorCode String Error code
errorMessage String Error message
success String If true, the sale is successful, if false, an error was received. Error details are shared in error code and error message fields
systemTime dateTime Transaction date
correlationId String Transaction number
orderId String Order number
amount Number Transaction amount
currency String Transaction currency information
installmentCount Number Transaction installment count
card/binNumber String First 8 digits of the card
card/maskedNumber String Masked card tric
card/cardBrand String Card brand
card/cardOrganization String Card organization
card/cardType String Card type
securityHash String The value to be used to determine that the result of the operation comes from the correct source. The documentation describes how to calculate it.
POST
Merchant ID
Terminal ID
Secret Key
{ \n \"orderId\": \"\"\n}

Hata Oluştu

Başarılı

Security Hash Calculation

You can use the documentation here to calculate the securityHash field in service requests and incoming service responses. 

Error Codes

You can access the list of error codees on this page.

Test Cards

You can access the list of test cards on this page.

We are here for all your questions and support requests.

Ask a Question Ask a Question