Espago changelog

• Planned: change in the error response format for the /api/charges/{id}/complete query:

{
  "errors": {
    "charge": [
      "is not completable"
    ]
  }
}

{
    "errors": [
        {
            "code": "card:blank",
            "message": "Card can't be blank",
            "param": "card",
            "type": "card_error"
        }
    ]
}

• Changes to the gateway’s SSL configuration:
  • SANDBOX: removal of the DH and DHE cipher suite in TLSv1.2, addition of new ones.
  • PRODUCTION: removed ciphers suites with CBC.
  • No changes in TLSv1.3 ciphers.
• INFO: Ciphers DH/DHE on production gateway will be removed after Q1 2024.

• Chapter describing integration with Fast Bank Transfers was introduced.

• Release of new versions of scripts iFrame 2.0 (https://js.espago.com/iframe-2.0.js) and JS 1.3 (https://js.espago.com/espago-1.3.js), with improved appearance, acceptance of 2 digits year.
• Added path https://js.espago.com/iframe.js for iFrame script, always pointing to the latest version of Espago iFrame (previously iframe-1.0.js, currently iframe-2.0.js).
• Chapter describing integration with BLIK payments. was introduced.

• Chapter describing Google Pay integration was introduced.

• Introduction of categorizing response codes for credit card payments.

• Disabling verification 3D-Secure v1 by Visa and MasterCard, stay EMVCo 3D-Secure v2. On the side of Merchant there is no need to make any changes to the integration.
• Changes in behavior of test cards in “Sandbox” - all cards required 3DS verification in one time payment and with cof=storing (also card 4242 4242 4242 4242)

• In the API query response with incorrect content (e.g. missing mandatory parameter value or bad format), the code parameter was added to theerrors object. It includes a field name and a validation result.
• API v2 is removed.

• changes in the Espago Subscriptions behaviour - in the case of an unsuccessful card authorization attempt during the subscription: if the received issuer_response_code message belongs to “do not repeat” category, the subscription stops. To start a new subscription with the same Client Profile, updating with a new card and strong customer authentication are necessary. Alternatevely, please create a new Client Profile, perform strong customer authentication and start new subscription.

• In the card charge request (/api/charges/): removed skip_3ds parameter due to non-compliance with PSD2 regulations

• Disactivation Aktualizacji danych karty klienta tylko gdy karta jest zautoryzowana, because of incompatibility with PSD2.
• Disactivation Instantly authorize client feature, because of incompatibility with PSD2.

• Supplementing the documentation and SQL file with rejection codes 1A and 65 (related to the lack of SCA / 3D-Secure), and B ## codes (Espago rejection of payments that are known to be unsuccessful)

• Disabling protocol TLSv1.1 in production Espago gateway (currently supported: TLSv1.2 and TLSv1.3).

• Enabling 3-D Secure version 2 (EMV 3-D Secure) on some Merchant’s accounts.

• Using in payment status state=tds_redirected during whole 3-D Secure (both v2 or v1) authentication. Until now, such state was presented only in transaction object in this time.

• Adding sca_payment to client profile properties (exists when there was used parameter cof=storing in initiated payment or payment using client profile or updating client).

• Adding a payment for the amount of “0” PLN/EUR/etc, used to authenticate the client with SCA and save the card details, without charging him (or withdrawing this payment). ** NOTE ** Amount of 0 is available only with Elavon acquirer.

• Integration with SIX/SaferPay - adding new payment channel to Espago gateway (according to Merchant agreement: channel=six_cc).

Changes in issuer response codes related to 3D-Secure:

E3 - 3D-Secure error in bank.
E4 (new) - 3D-Secure authentication failed.
E5 (new) - Other 3D-Secure error.

Creating new documentation https://start.espago.com
Old documentation (https://developers.espago.com) remains available.

Adding Card on file parameter (cof = storing, recurring, instalment, unscheduled and other) for payments related to saving card data or made payment using card data saved in client profile:

• Parameter “cof=storing” added to payment enables creating of client profile (no need to additional request for client create).
• For backward compability, from August 2019 by default all payments with parameter “recurring=true” have automatically set “cof=recurring” in Espago (Merchant can overwrite this parameter with other cof values).

Change of guidelines related to 3D-Secure verification (changes related to PSD2 and preparation for 3D-Secure v2.0.0)

• each single payment should be made with 3D-Secure,
• each subscription should be started or preceded by a payment with 3D-Secure,
• each payment made using client profile (in subscription, one-click or on-demand payment) should have COF parameter.

22 may 2019: Adding in production env (secure) changes in lenght of ID parameters. Changes are applied only to newly created objects.

• Changing the initial characters in the parameter transaction ID from “tn_” to “tr_”. The transaction ID will be still 12 characters long (tr_xxxxxxxxx). https://developers.espago.com/v3#320
• Increasing of lenght from 18 to 20 characters of every (without transactions) new ID parameters:
• Payment ID (pay_xxxxxxxxxxxxxxxx)
• Client ID (cli_xxxxxxxxxxxxxxxx)
• Token ID and Token-cvv ID
• Plan ID and subscription ID
• Invoice ID and invoice item ID (elements of subscriptions)
• Increasing from 12 to 14 lenght of parameter Service ID.

Adding in test env (sandbox) changes, which will be applied in production gateway in 21 may 2019 (described in “May 2019” section). Changes will be applied only to newly created objects.

Adding issuer_response_code=15 (in language PL and EN) to SQL file in “Download” section.

• Adding two-factor authentication in the Seller’s panel.
• Adding back-requests during the refund of payment.

• Implementation of Safekey AMEX (3D-Secure on American Express cards).

• Adding a payment refund option to the web panel.

• Adding functions in payment request:
  1.language per transactions (parameter locale)
  2.email addres to sent email notifications (parameter email)
  3.forcing to not send email, even if customer profile has email address (parameter skip_email)

• Adding possibility to accepting using China Union Pay cards (UP/CUP).

• Disabling protocol TLSv1.0 in production Espago gateway.

• Adding Espago Secure Page for creating/updating client profile.

• Updating descriptions of issuer response codes: adding R0, R1, 68, and updating most comments in languages PL, EN and FR. New format of SQL file.

• Introducing Espago iFrame - new, improved soluton for creating token/getting credit card data/creating payments on Seller’s website.

• Adding options skip 3D-Secure function.
• Espago iframe added.

• Double card authorization added.

• Adding API function, to get information about customer’s card: country and bank.
• Improvements in web panel.
• Update footer in mail notifications: adding link to FAQ and seller contact data (this data can be set in web panel).

• Added the fields’ separator “|” in the method of calculating the checksum. The update applies to MasterPass and payment page. The old way of calculating the checksum will be valid until the first quarter of 2017.

• Release Espago JS in version 1.2: https://js.espago.com/espago-1.2.js The use of new script (in place of old 1.1) doesn’t requiere additional changes on Seller website. New script contain several improvements, and add function to create CVV tokens.

• Adding parameter payment_id in back requests when payment is done according to subscription.
• Adding new states of rejected payments according to 3D-Secure rejections and errors. Parameter reject_reason “3ds_not_authorized”, parameter issuer_response_code “E3”.
• Minor updates in description of codes 12 and 62.

• Adding possibility for creating subscription with delayed start.

• Adding protection: escaping six special charactes with accordance with recommendation of OWASP. in all text parameters (description, first_name, last_name, etc.).

• Added the possibility to set the redirect URL for the payment - parameter positive_url and negative_url.

• Adding possibility to redirect customer to secure payment website on Espago gateway.
• Updating description of “issuer_response_code”: 00, 05, 57 in documentation and in sql/xml files.
• Adding new possible payment states: “tds_redirected”, “resigned”.

Changes in SSL/HTTPS requirements

Raising the requirements for connection to the test gateway https://sandbox.espago.com: limiting accepted protocols to TLSv1.2 and TLSv1.1 (excluding TLSv1.0) and raising the requirements for used ssl ciphers (disabling few ciphers which use CBC).

HTTPS configuration currently available in a test environment will be implemented gradually in production gateway, starting from February 2016.

• Adding posssibility to make multiple, partial refund.
• Implementation function for adding CVV to payment made on demand/repeated.

• Further expansion of functions related to payments Espago in module Przelewy24.

• Launch of DCC (Dynamic Currency Conversion) service.
• Changes in allowed payment status in APIv3.0, adding: dcc_decision, tds_status.
• Adding description of new “issuer_response_code”: 91, 92, 95, 98 in documentation.
• Changes in SSL/HTTPS configration, disable supporting weak ciphers.

• Enabling MasterPass service.

• Adding to documentation description of two new error codes “issuer_response_code”: 62 and 75.

• Publishing API v3.0. Old version APIv2.0 can still be used, but most of new functions (described abowe) will be implemented only in APIv3.0.
• Enabling 3D-Secure options.

• Publishing new version of Espago API documentation and moving it to new subdomain.

• Disabling support of SSLv3 for incoming request (API) and outgoing (back_requests).