Step 1. Your customer goes to checkout

On this page:


When your customer confirms their order or basket, enters their billing and delivery details, and clicks your Pay Now button, your server sends a secure POST to Opayo to register the transaction.

In response, we return:

  • A registration status
  • Transaction identifiers
  • A URL to direct your customer's browser to our hosted payments page.

A payment begins with the customer ordering one or more goods or services from your website. Your customers' interactions with and experience of your website are entirely up to you. Server Integration only needs you to collect the information required to process a payment.

Note: You can set up Tokenisation to further ease your returning customers' payment experience.

    a. Collect the Required Information

    At a minimum, we recommend you identify your customers by their:

    • Name
    • Email address
    • Delivery and billing address
    • Telephone number
    • IP Address used to access your system from

    You should store these details in your session with the details of your customer’s basket contents or other goods ordered.

    You do not need to collect payment data. Your site calculates the total purchase cost in your chosen currency, and we take care of the payment.

    b. Register the Transaction with Opayo

    When your customer confirms their order or basket, enters their billing and delivery details, and clicks your Pay Now button, your server constructs a Transaction Registration message. This must contain:

    • Your VendorName. This is assigned when you sign up to Opayo.
    • A VendorTxCode. This is your own unique payment reference. The value must be unique to each transaction.
    • The purchase details including the:
      • Total value of the purchase before any surcharges are applied
      • Payment currency
      • Customer's billing and delivery address
      • Summary of the goods or services purchased. To display on our payment pages
    • Your NotificationURL. This is the address our servers call back to once the payment process is complete.

    Your server POSTs the Transaction Registration message to the Opayo Server transaction registration service using HTTPS. (see here)

    128-bit Security

    Using our Server Integration method, you are assured that the POST you send to us cannot be tampered with or understood by anyone except us:

    • No sensitive information is passed via the customer’s browser.
    • The POST is between your servers and ours using a 128-bit encrypted session.
    • Anyone attempting to intercept the message is unable to read it.


    Important: When connecting to Opayo's servers, an SSL handshake will take place. Normally, this will go smoothly, but before going live with any integration, you must to check that you have the latest root certificates for Opayo's certificate issuing authority installed on your servers.You can obtain the latest root certificate from here.

    Installing this certificate can differ according to your website and your hosting solution, but a good place to start is here or this site.

    If you need further help configuring your SSL certification chain, you can contact

    c. We Receive Your Transaction Registration POST

    We validate your Transaction Registration POST on its receipt.

    When Your POST is Valid

    After your POST passes validation, we:

    • Register the transaction on our system
    • Send a response to you

    Our response includes:

    • The VPSTxId. This is a new and totally unique transaction code generated to reference each transaction.
    • The Status of OK
    • A blank StatusDetail field.
    • The NextURL. This is the address of the Opayo page your server must redirect your customer's browser to in order to complete the payment.

    When the response Status is OK or OK REPEATED:

    • The response will contain a SecurityKey. This is a single use, ten alphanumeric character long string used to confirm the MD5 hash signature in the notification POST.
    • Store the VPSTxId, SecurityKey, and VendorTxCode in your database with the customer and order details for this transaction.

    Using an Exiting VendorTxCode

    When a VendorTxCode unique payment reference is already used, you will receive an OK REPEATED Status and the same VPSTxId, SecurityKey and NextURL as the first request provided:

    • the original transaction has not completed and is still active, and
    • the Amount and Currency are the same.

    MALFORMED or INVALID Response Status

    If you receive either a MALFORMED or INVALID response Status during integration and testing, use the StatusDetail error message to help debug your scripts.

    If you receive these messages in your live environment:

    • Inform your customer that there has been a problem registering their transaction.
    • We recommend flagging an error in your back-office systems to help you debug.

    Required Fields Check 

    When we receive your Transaction Registration POST, we check that all required fields are complete and correctly formatted.

    When a required field is incomplete our response contains:

    • A Status of MALFORMED
    • The StatusDetail field stating which field is missing. This is helpful during the development stage when you are refining your integration.

    When all required fields are present, the:

    • Vendor field is checked against a pre-registered IP address, so we are certain the POST is from you.
    • Transaction Currency is validated against those accepted by your merchant accounts.
    • VendorTxCode is checked to ensure it has not been used before.
    • Amount field is validated.
    • Flag fields are then checked.
    • Remaining fields are validated to ensure you have passed valid data.

    If any of the information is incorrect, our response contains:

    • A Status of MALFORMED
    • The StatusDetail field stating which field is invalid.


    ❮ Back to Taking Payments Next: Step 2 ❯