Mastercard Payment Gateway API Reference: Operations -
Version 79,
Protocol: REST-JSON

Create Session

Request to create a payment session. A payment session can be used to temporarily store any of the request fields of operations that allow a session identifier as a request field.

The request fields stored in the session may then be used in these operations by providing the session identifier. They may be updated and obtained using the Update Session and Retrieve Session operation respectively.

URL https://na.gateway.mastercard.com/api/rest/version/79/merchant/{merchantId}/session
HTTP Method POST
Authentication This operation requires authentication via one of the following methods:
  • Certificate authentication.
  • Basic HTTP authentication as described at w3.org. Provide 'merchant.<your gateway merchant ID>' in the userid portion and your API password in the password portion.

Request Parameters

correlationId  String = OPTIONAL

A transient identifier for the request, that can be used to match the response to the request.
The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.
Existence
OPTIONAL
Fixed value
Validation Rules
Data can consist of any characters
XSD type
string
minimum length
1
maximum length
100

session.authenticationLimit  Integer = OPTIONAL

The number of operations which may be submitted to the gateway using this session id as a password.

This field applies when you write a browser or mobile app that issues operations to the gateway from the device, using the session id as a password.
In that case, a payer (or a compromised browser), could issue a large number of requests to the gateway on your behalf, and you could incur unnecessary fees as a result.

This field lets you limit your exposure to that risk. The value defaulted by the gateway is suitable for typical payments. There is an upper limit (your operation will be rejected if that limit is exceeded).
Existence
OPTIONAL
Fixed value
Validation Rules
JSON number data type, restricted to being positive or zero. In addition, the represented number may have no fractional part.
JSON type
Number
minimum value
0
maximum value
25

{merchantId}  Alphanumeric + additional characters COMPULSORY

The unique identifier issued to you by your payment provider.
Existence
COMPULSORY
Validation Rules
Data may consist of the characters 0-9, a-z, A-Z, '-', '_'
XSD type
string
minimum length
1
maximum length
40

Response Parameters

merchant  Alphanumeric + additional characters = Always Provided

The unique identifier issued to you by your payment provider.
Existence
Always Provided
Fixed value
Validation Rules
Data may consist of the characters 0-9, a-z, A-Z, '-', '_'
JSON type
String
minimum length
1
maximum length
40

result  Enumeration = Always Provided

A system-generated high level overall result of the transaction/operation.
Existence
Always Provided
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
FAILURE
The operation was declined or rejected by the gateway, acquirer or issuer
PENDING
The operation is currently in progress or pending processing
SUCCESS
The operation was successfully processed
UNKNOWN
The result of the operation is unknown

session.aes256Key  ASCII Text = Always Provided

The key you can use to decrypt sensitive data passed to your website via the payers's browser or mobile device.

For some gateway operations invoked via a payer device, you supply your website as a return URL.
On return to your website, the gateway will encrypt sensitive data using this symmetric key. Most integrations do not need that sensitive data, and can ignore this parameter.

This is a Base64 encoded AES256 key, generated uniquely for this session.

This key should never be exposed to the payer environment.
Existence
Always Provided
Fixed value
Validation Rules
Data consists of ASCII characters
JSON type
String
minimum length
44
maximum length
44

session.authenticationLimit  Integer = Always Provided

The number of operations which may be submitted to the gateway using this session id as a password.

This field applies when you write a browser or mobile app that issues operations to the gateway from the device, using the session id as a password.
In that case, a payer (or a compromised browser), could issue a large number of requests to the gateway on your behalf, and you could incur unnecessary fees as a result.

This field lets you limit your exposure to that risk. The value defaulted by the gateway is suitable for typical payments. There is an upper limit (your operation will be rejected if that limit is exceeded).
Existence
Always Provided
Fixed value
Validation Rules
JSON number data type, restricted to being positive or zero. In addition, the represented number may have no fractional part.
JSON type
Number
minimum value
0
maximum value
9999

session.id  ASCII Text = Always Provided

The identifier for the payment session.
You can add request fields to the session using a Hosted Payment Form or wallet provider interaction, or the Update Session operation.
Existence
Always Provided
Fixed value
Validation Rules
Data consists of ASCII characters
JSON type
String
minimum length
31
maximum length
35

session.updateStatus  Enumeration = Always Provided

A summary of the outcome of the last attempt to modify the session.
In order to perform an operation using this session this value must be SUCCESS.
Existence
Always Provided
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
FAILURE
The last attempt to place data into the session was unsuccessful. The session may contain invalid data. A request operation using this session will be rejected by the payment gateway.
NO_UPDATE
No attempt has been made to place data into the session. A request operation using this session will be rejected by the payment gateway.
SUCCESS
The last attempt to update the session was successful. You may submit a request operation using this session.

session.version  ASCII Text = Always Provided

Use this field to implement optimistic locking of the session content.
Do this if you make business decisions based on data from the session and wish to ensure that the same data is being used for the request operation.

To use optimistic locking, record session.version when you make your decisions, and then pass that value in session.version when you submit your request operation to the gateway.

See Making Business Decisions Based on Session Content.
Existence
Always Provided
Fixed value
Validation Rules
Data consists of ASCII characters
JSON type
String
minimum length
10
maximum length
10

correlationId  String = CONDITIONAL

A transient identifier for the request, that can be used to match the response to the request.
The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.
Existence
CONDITIONAL
Fixed value
Validation Rules
Data can consist of any characters
XSD type
string
minimum length
1
maximum length
100

lineOfBusiness  String = CONDITIONAL

Your payment service provider might have configured your merchant profile to support several lines of business.
Each line of business can have different payment parameters, such as bank account, supported cards or such.

For example, lineOfBusiness = TICKET_SALES can have a different bank account from lineOfBusiness = MERCHANDISING. One line of business on your profile might be "null". To use that, do not provide the lineOfBusiness field.
Existence
CONDITIONAL
Fixed value
Validation Rules
Data can consist of any characters except space
JSON type
String
minimum length
1
maximum length
100

merchant  Alphanumeric + additional characters = Always Provided

The unique identifier issued to you by your payment provider.
Existence
Always Provided
Fixed value
Validation Rules
Data may consist of the characters 0-9, a-z, A-Z, '-', '_'
JSON type
String
minimum length
1
maximum length
40

result  Enumeration = Always Provided

A system-generated high level overall result of the transaction/operation.
Existence
Always Provided
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
FAILURE
The operation was declined or rejected by the gateway, acquirer or issuer
PENDING
The operation is currently in progress or pending processing
SUCCESS
The operation was successfully processed
UNKNOWN
The result of the operation is unknown

session.aes256Key  ASCII Text = Always Provided

The key you can use to decrypt sensitive data passed to your website via the payers's browser or mobile device.

For some gateway operations invoked via a payer device, you supply your website as a return URL.
On return to your website, the gateway will encrypt sensitive data using this symmetric key. Most integrations do not need that sensitive data, and can ignore this parameter.

This is a Base64 encoded AES256 key, generated uniquely for this session.

This key should never be exposed to the payer environment.
Existence
Always Provided
Fixed value
Validation Rules
Data consists of ASCII characters
JSON type
String
minimum length
44
maximum length
44

session.authenticationLimit  Integer = Always Provided

The number of operations which may be submitted to the gateway using this session id as a password.

This field applies when you write a browser or mobile app that issues operations to the gateway from the device, using the session id as a password.
In that case, a payer (or a compromised browser), could issue a large number of requests to the gateway on your behalf, and you could incur unnecessary fees as a result.

This field lets you limit your exposure to that risk. The value defaulted by the gateway is suitable for typical payments. There is an upper limit (your operation will be rejected if that limit is exceeded).
Existence
Always Provided
Fixed value
Validation Rules
JSON number data type, restricted to being positive or zero. In addition, the represented number may have no fractional part.
JSON type
Number
minimum value
0
maximum value
9999

session.id  ASCII Text = Always Provided

The identifier for the payment session.
You can add request fields to the session using a Hosted Payment Form or wallet provider interaction, or the Update Session operation.
Existence
Always Provided
Fixed value
Validation Rules
Data consists of ASCII characters
JSON type
String
minimum length
31
maximum length
35

session.updateStatus  Enumeration = Always Provided

A summary of the outcome of the last attempt to modify the session.
In order to perform an operation using this session this value must be SUCCESS.
Existence
Always Provided
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
FAILURE
The last attempt to place data into the session was unsuccessful. The session may contain invalid data. A request operation using this session will be rejected by the payment gateway.
NO_UPDATE
No attempt has been made to place data into the session. A request operation using this session will be rejected by the payment gateway.
SUCCESS
The last attempt to update the session was successful. You may submit a request operation using this session.

session.version  ASCII Text = Always Provided

Use this field to implement optimistic locking of the session content.
Do this if you make business decisions based on data from the session and wish to ensure that the same data is being used for the request operation.

To use optimistic locking, record session.version when you make your decisions, and then pass that value in session.version when you submit your request operation to the gateway.

See Making Business Decisions Based on Session Content.
Existence
Always Provided
Fixed value
Validation Rules
Data consists of ASCII characters
JSON type
String
minimum length
10
maximum length
10

error   = CONDITIONAL

Information on possible error conditions that may occur while processing an operation using the API.
Fixed value

error.cause  Enumeration = CONDITIONAL

Broadly categorizes the cause of the error.
For example, errors may occur due to invalid requests or internal system failures.
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
INVALID_REQUEST
The request was rejected because it did not conform to the API protocol.
REQUEST_REJECTED
The request was rejected due to security reasons such as firewall rules, expired certificate, etc.
SERVER_BUSY
The server did not have enough resources to process the request at the moment.
SERVER_FAILED
There was an internal system failure.

error.explanation  String = CONDITIONAL

Textual description of the error based on the cause.
This field is returned only if the cause is INVALID_REQUEST or SERVER_BUSY.
Fixed value
Validation Rules
Data can consist of any characters
JSON type
String
minimum length
1
maximum length
1000

error.field  String = CONDITIONAL

Indicates the name of the field that failed validation.
This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.
Fixed value
Validation Rules
Data can consist of any characters
JSON type
String
minimum length
1
maximum length
100

error.supportCode  String = CONDITIONAL

Indicates the code that helps the support team to quickly identify the exact cause of the error.
This field is returned only if the cause is SERVER_FAILED or REQUEST_REJECTED.
Fixed value
Validation Rules
Data can consist of any characters
JSON type
String
minimum length
1
maximum length
100

error.validationType  Enumeration = CONDITIONAL

Indicates the type of field validation error.
This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
INVALID
The request contained a field with a value that did not pass validation.
MISSING
The request was missing a mandatory field.
UNSUPPORTED
The request contained a field that is unsupported.

result  Enumeration = CONDITIONAL

A system-generated high level overall result of the operation.
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
ERROR
The operation resulted in an error and hence cannot be processed.

Copyright © 2023 Mastercard