Pay with giropay

Prerequisites

As a prerequisite, you should understand:

Make the Payment

A giropay payment works in principle the same way like eps, or Sofort. It is processed like this:

  1. Your server asks the secuconnect API to authorise and capture the payment.

  2. You direct the payer to an URL provided in the Smart Transaction.

  3. The payer is returned to a success or failure URL, your server has provided before.

To this your server needs to respond accordingly. There is also a push notification for the case the payer is not returned.

The transaction is always captured with the authorisation, even if "auto_capture" is set to false. Payment Initiation Services (PIS) such as Sofort, giropay or eps do not have a two-step process by nature.

The endpoint to authorise and capture a giropay payment is POST /api/v2/Smart/Transactions/{id}/prepare/giropay:

Request
POST /api/v2/Smart/Transactions/STX_WBVJKK82Y2X3MKHN3NZCPAAF6C38AJ/prepare/giropay HTTP/1.1
Host: connect-testing.secupay-ag.de
Authorization: Bearer qb56tjj1bcvo9n2nj4u38k84lo
Content-Type: application/json
Accept: application/json
 
{
"callback_urls": {
"success_url": "https://shop.example.org/sofort/SUCCESS",
"failure_url": "https://shop.example.org/sofort/FAILURE"
}
}

If everthing is fine, the API responds with 200 OK and a respresentation of the Smart Transaction:

Response
HTTP/1.1 200 OK
Content-Type: application/json
...
 
{
"object": "smart.transactions",
"id": "STX_WBVJKK82Y2X3MKHN3NZCPAAF6C38AJ",
// ...
"updated": "2021-04-14T10:14:41+02:00",
"status": "created",
// ...
"payment_method": "giropay",
"trans_id": 34029564,
"iframe_url": "https://ftg-customer-integration.giropay.de/ftgbank/b/bankselection/7261373846141977046;jsessionid=CA00EADB645427E6F6C7517B56C274EE.wmpt02ftgst3om2apsf",
// ...
}

You need to direct the customer to iframe_url now, in order to make the payment.

Despite its name, you should not open the iframe_url within an Iframe ( <iframe> ):

  • It is forbidden to conduct a Sofort payment within an Iframe. (s. link to Sofort Integration Center)

  • 3-D Secure checks can leave the Iframe and switch to full-screen. In this case, the success (success_url) or failure URL (failure_url) of the shop is not opened inside the Iframe, but in the uppermost browser window (DOM window.top).

  • Some popular browsers have very strict same-origin restrictions for third party content, so that Cookie technology will not work inside Iframes. Most external authorisation flows cannot be completed.

After this you will receive them back at one of the URLs you have passed with the request. If the payment was accepted, and the success_url is called, the status of the Smart Transaction changes to pending. See the sections about the status flow, and how to check the status in order to understand more.