Once a payment is made a notification will be sent to the merchant indicating whether the payment was successful or not. The below shows how the notification is sent from the Masterpass system as well as how the merchant must respond to the notification to confirm they have received the transaction notification

  1. Once a payment is made a notification will be sent to the merchant indicating whether the payment was successful or not.

  2. If the merchant is set up to receive real-time notification an HTTP POST will hit the designated merchant URL.

  3. The payload of the HTTP POST will be a Base64 encoded String. This data needs to be decoded and decrypted using the key created on the Scan to Pay system which is obtained from the Scan to Pay Portal. You will need to be logged on to the Portal with the applicable merchant profile and under the logged on email address dropdown there will be a Notifications button.

  4. The decrypted payload will be a JSON string. The merchant needs to check back if a notification is expected and perform the relevant actions.

  5. Once the merchant is done processing the message a 200 response needs to be returned if the merchant wishes to finalise the payment. Failure to send the 200 response will result in the transaction being rolled back provided the merchant has HTTP real time notification set up. This timeout for sending the 200 is 45 seconds.

  6. If email notification is configured an email will be sent.

  7. If SMS notification is configured an SMS will be sent.

Notification URL

Please note on the Scan to Pay Portal if you add a notification URL and then click the Check button an unencrypted JSON string will be sent as either:

V1 Check:

{ "result": "TEST" }

V2 Check:

{ "result": "TEST" }

The actual notification payload on transactions will however be encrypted provided the notification URL has an associated generated notification key. There are the currently allowed ports on the notification URL - TCP/80, TCP/443, TCP/8080, and TCP/8443

HTTP Decrypt

The payload of the HTTP POST request is encrypted using a Scan to Pay designated notification key. This has been done for two reasons:

  1. The merchant may have not setup SSL and therefore the data could be transmitted on a non-secure line.

  2. This forces the merchant to verify that the message came from the Scan to Pay system. If the message did not decrypt correctly, it is fake, or the wrong key has been used.

The key can be generated from the Scan to Pay Portal by logging on as a Merchant profile and then clicking on the logged on email dropdown, and then selecting the Notifications option.

The encryption used is AES/CBC/PKCS5Padding. Please note the IV is set to all nulls (0x00)

public class DecryptSample
     public void decrypt(InputStream is) {
         StringWriter writer = new StringWriter();
         IOUtils.copy(is, writer, "UTF-8");
         String temp = writer.toString();
         byte[] data = Base64.decodeBase64(temp.getBytes());
         byte[] raw = Hex.decodeHex("Notification key from portal");
         Cipher cipher = Cipher.getInstance("AES/CBC/PCKC5Padding");
            new SecretKeySpec(rawKey,"AES"),
            new IvParameterSpec(new byte[16]));
         String decyptedData = new String(cipher.doFinal(data));