Transactions
You must implement and expose the “Authorization” and “ Adjustments” endpoints on your backend so that we can communicate.
Payment processor flow:
We consume the endpoints in the following moments:
During the online flow
Every time a user uses their card in any online or physical store.
During reconciliation
When the network (Mastercard, Visa, etc.) requests reconciliation of all payments presented by merchants.
Considerations
If there is a discrepancy in the reconciliation, we will request a correction to your API. We expect a quick response to ensure a good experience. If the response is delayed, reject the transaction.
Idempotency
Since an HTTP request can time out, make sure that it is processed only once when retrying. We’ll send you an x-idempotency-key header with a unique ID with each request for that purpose. Process with a cache in memory (for example: redis).
At the beginning of each transaction, check if the idempotency key we sent you is already in the in-memory cache and do the following:
There is no idempotency header in the cache
Cache in memory the idempotency key → request with a in-transit status with a TTL of 3 minutes.
When you approve or reject the transaction, you’ll need to cache the result and update the idempotency key status to ‘finished’.
The idempotency header is in the cache
In case of a duplicate request, you will need to check the transaction status in the cache.
- If it is in a
finishedstatus, respond with an HTTP code 200 with the expected body for the endpoint and complete it with the cache result. - If it is in a
in-transitstatus you will need to respond with an HTTP code 425 (Too Early: RFC 8470) with the expected body for the endpoint. We’ll look for the response to this request again a few milliseconds later.
Requests in progress
If you receive a second request with the same idempotence ID and the first is still in progress, you should respond with an HTTP status 425 and an empty body.
Security
The communication between our backends must be strictly secure since the endpoints will allow crediting and deducting funds.
For this purpose, we require you to implement three measures:
- Expose HTTPS endpoint
- Pomelo IPs whitelist
- Hmac-sha256 signature for the request and reply
Expose HTTPS endpoint
All communication with us must be via HTTPS, regardless of who issues the certificate.
These are some of the most recognized providers
- https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
- https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
- https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs
Pomelo IPs whitelist
We always communicate with your backend from specific IPs. We recommend that you only accept requests from the following IPs and reject any others:
Pomelo IPs:
- Testing/Staging Environment:
34.226.254.178
44.198.3.59
34.223.185.46
100.20.205.117- Production Environment:
34.206.159.176
52.0.20.124
35.84.78.117
52.43.46.111Hmac-sha256 signature for the request and reply
To ensure that the only participants in the communication are our backends (Pomelo and the Client), we provide you with an api-key and api-secret during onboarding to digitally sign the content of the communication.
The process looks something like this:
1. During onboarding we exchange the api-key and api-secret keys.
2.
During a payment authorization, Pomelo signs each authorization request with hmac-sha256 using the api-secret.
4. You validate the hmac-sha256 signature with your api-secret corresponding to the request api-key.
5. Authorize the order, debit the user’s funds and sign the response with hmac-sha256 using the api-secret.
6. We verify the hmac-sha256 signature and finish processing the payment.
Key exchange process
During the onboarding process, we create an api-key and api-secret specific to you.
It is also possible to use gpg or an email plugin (such as https://flowcrypt.com/).
Let’s look at an example using openssl on the command line.
1. We create the api-key and api-secret:
$ echo -e 'api-key=$(openssl rand -base64 32)\napi-secret=$(openssl rand -base64 32)' > api-credentials.txt
$ cat api-credentials.txt
api-key=tgeAkX0795jKTxrVR0cJbb//D8UlhHn0KZwTcDG3gyg=
api-secret=un/OHwD+fMN1TTSaEhs0vupQEDQS7DVaUdlNOu7Fpyw=2. You create your public-private key:
$ openssl genrsa -out private.pem 2048
$ openssl rsa -in private.pem -pubout -out public.pem3. Send us your public.pem public key by email or Slack.
4. We encrypt the credential file with the public key you gave us:
$ openssl rsautl -encrypt -in api-credentials.txt -out api-credentials.txt.enc -inkey public.pem -pubin5. We send the api-credentials.txt.enc file by email or Slack
6. Decrypt the api-credentials.txt.enc file with your private.pem private key:
$ openssl rsautl -decrypt -in api-credentials.txt.enc -inkey private.pem
api-key=tgeAkX0795jKTxrVR0cJbb//D8UlhHn0KZwTcDG3gyg=
api-secret=un/OHwD+fMN1TTSaEhs0vupQEDQS7DVaUdlNOu7Fpyw=7. Keep the api-secret in a safe place that is accessible only through the “Authorize payments” application, associated with the api-key.
Request signature process
Along with the authorization or adjustment request we’ll send you HTTP headers with the signature, timestamp and the api-key so that you can verify the signature is correct.
The HTTP headers we send are:
x-api-key: this header allows you to identify which api-secret you have to use in the event that multiple api-key and api-secret pairs have been configured.x-signature: This header contains the digital signature (body + timestamp + endpoint) that must be verified to ensure request integrity. If the signature does not match, reject the order.x-timestamp: this header contains the moment the order was signed in unix-epoch format so that you can verify that the signature has not expired.x-endpoint: the endpoint to which the request is made. Use this header to regenerate the signature to be validated, check with your service endpoint and confirm that they match.
Important: In addition to checking the signature that we send you, when generating the response, you must sign the body along with the timestamp and the response endpoint with your api-secret after impacting the operation. Please note that the signature will be validated and the transaction rejected if the signature does not match or has expired.
How to Test Your Implementation and Sample Code
You can test the implementation of your backend with some typical operations that we will send with a Postman collection, which is included in our [public sample repository] (https://github.com/pomelo-la/cards-transactions-examples). You can import the collection to a Postman instance and thus simulate real orders to your backend, including the signature generation and checking algorithm.
In the repository, you will also find examples of implementation of the signature generation and validation algorithm in several languages.
Settlement
This is an optional process, but we recommend running it daily.
In the SFTP server that we will provide, you will find these files:
- Transaction file
- Presentation file
Transaction file
Contains the details of each transaction from the previous day.
El nombre del archivo tiene el siguiente formato: transaction_yyyy-mm-dd_<nombre cliente>_<pais>.csv
Transaction file structure
| {Atributo} | Description | Allowed values |
|---|---|---|
| TRANSACTION_ID | Unique ID to identify the transaction. | |
| LOCAL_TRANSACTION_DATE_TIME | ||
| TRANSACTION_TYPE | Indicates the transaction type. | PURCHASE WITHDRAWAL EXTRACASH BALANCE_INQUIRY REFUND PAYMENT REVERSAL_PURCHASE REVERSAL_WITHDRAWAL REVERSAL_EXTRACASH REVERSAL_REFUND REVERSAL_PAYMENT REVERSAL_BALANCE_INQUIRY |
| PRODUCT_TYPE | This is the product type | PREPAID CREDIT DEBIT |
| PROVIDER | It is the brand of the issued card. | VISA MASTERCARD |
| AFFINITY_GROUP_ID | ||
| USER_ID | Pomelo cardholder’s user ID. | |
| CARD_ID | ||
| BIN | The first six or eight digits of the PAN. | |
| LAST_FOUR | The last four digits of the PAN. | |
| ORIGIN | DOMESTIC: The transaction occurred in the issuer’s country. INTERNATIONAL: The transaction was not made in the issuer’s country. | |
| MERCHANT_ID | ||
| MERCHANT_MCC | The merchant category code as defined in ISO-18245. | |
| MERCHANT_NAME | ||
| LOCAL_AMOUNT | This is the total transaction amount that must be deducted from the user's balance, with taxes and fees added (where applicable). Always converted to the card's local currency. | |
| LOCAL_CURRENCY | The LOCAL_TOTAL currency code in ISO_4217 ALPHA-3 format. | |
| TRANSACTION_AMOUNT | The transaction value before taxes and in the original currency sent by the merchant. | |
| TRANSACTION_CURRENCY | The TRANSACTION_TOTAL currency code in [ISO_4217] (https://en.wikipedia.org/wiki/ISO_4217#Active_codes) formato ALPHA-3. | |
| SETTLEMENT_AMOUNT | The transaction amount in USD, as sent by the network. For Argentina always show it in USD, and in the local currency for the other countries. | |
| SETTLEMENT_CURRENCY | The currency code of SETTLEMENT_TOTAL in ISO_4217 ALPHA-3 format. For Argentina always show it in USD, and in the local currency for the other countries. | |
| ENTRY_MODE | How the card was used at the merchant's point of sale. | UNKNOWN MANUAL CHIP CONTACTLESS CREDENTIAL_ON_FILE MAG_STRIPE OTHERS |
| STATUS | Transaction status. | APPROVED REJECTED HELD |
| STATUS_DETAIL | Additional reason why the transaction is approved or rejected. | See table below |
| SOURCE | Indicates which flow/process triggered the transaction, as seen from Pomelo. | ONLINE: Originated during transactional flow from real-time transactions sent over the network CLEARING: Originated during the agreement process between Pomelo and the network when managing the settlement file PURGE: Transactions that were not presented in the network settlement file. |
| ORIGINAL_TRANSACTION_ID | This value may be empty if the transaction is not related to another. | |
| COUNTRY_CODE | This is the country code in [ISO-3166] format (https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). | |
| POINT_TYPE | POS ECOMMERCE ATM MOTO | |
| CLIENT_NAME | El nombre del cliente que aprueba o rechaza la transacción, dado que el reporte se segmenta por cliente, va a tener el mismo valor para todas las filas | |
| CLIENT_COUNTRY_CODE | El coódigo de país del cliente en formato ISO-3166 | |
| AMOUNT_DETAILS | El detalle de la composición del monto local, en el mismo formato que es enviado de forma ONLINE. Codificado en base64 | |
| INSTALLMENTS_GRACE_PERIOD | [OPCIONAL*] El período de gracia refiere a la cantidad de meses previo a que comiencen los pagos en cuotas. Puede ir de 0 a 99. | |
| INSTALLMENTS_QUANTITY | [OPCIONAL*] La cantidad de cuotas | |
| INSTALLMENTS_CREDIT_TYPE | [OPCIONAL*] El tipo de crédito otorgado | NO_PROMOTION WITHOUT_INTEREST WITH_INTEREST BUY_TODAY_PAY_LATER |
*_Para los clientes que operen con crédito, se agregan los datos del contrato de cuotas.
STATUS_DETAIL table
| Status detail | Description |
|---|---|
| CARD_BLOCKED | The card status is BLOCKED. |
| CARD_DISABLED | The card status is DISABLED |
| CARD_NOT_ACTIVE | The card status is EMBOSSED or CREATED |
| CARD_NOT_CONFIGURED | The card is missing configurations. |
| CARD_NOT_FOUND | We cannot find the card’s PAN. |
| CLIENT_TIMEOUT | The client is slow to respond. |
| CLIENT_UNAVAILABLE | We cannot connect to the client or we receive a 5XX. |
| CLIENT_SIGNATURE_ERROR | When there is a failure in the client's signature. |
| CRYPTO_ERROR | There is a cryptogram error (EMV). |
| DUPLICATE_TRANSMISSION_DETECTED | We received a repeated transaction from the network. |
| EXPIRED_CARD | The card status is EXPIRED. |
| EXTRA_FIELDS | Messaging from the network comes with unexpected fields. |
| INSUFFICIENT_FUNDS | The client replies that the account has no funds. |
| INTERNAL_ERROR | Unexpected failure in the Pomelo system. |
| INVALID_AMOUNT | The affinity group’s limits are exceeded. |
| INVALID_CVV | The CVV does not match. |
| INVALID_EXPIRATION_DATE | The expiration date received does not match the card. |
| INVALID_MERCHANT | The customer rejects the merchant for a specific reason. |
| INVALID_PIN | The PIN is incorrect |
| PIN_TRY_LIMIT_EXCEED | Se ha ingresado incorrectamente el PIN y se excedio el limite de intentos. |
| INVALID_TRANSACTION | The transaction is invalid. |
| LOST_CARD | The card status is LOST. |
| MISSING_FIELDS | Messaging from the network comes without the required fields. |
| NOT_DECLINED | A transaction has a value of 0, verifying the account is active. |
| ORIGINAL_NOT_FOUND | An attempt is made to reverse a transaction that we did not find. |
| OTHER | The case is not recognized. |
| RESTRICTED_USER | The user's status is not ACTIVE. |
| SECURITY_VIOLATION | Exceeds a fraud threshold. |
| SERVICE_UNAVAILABLE | The client or a Pomelo service is down. |
| STOLEN_CARD | The card’s status is STOLEN. |
| SYSTEM_ERROR | Client's unexpected error. |
| APPROVED | The client approves a transaction. |
| TRANSACTION_NOT_PERMITTED | The transaction type is not allowed in the affinity group. |
| REJECTED_FRAUD | The transaction was rejected by the fraud engine. |
| REJECTED_BY_EXTERNAL_ENGINE_FRAUD | The transaction was declined by the client's or external fraud engine. |
Transaction file reconciliation
| Is it at Pomelo? | Is it at the client? | Does it have the same status? | Action |
|---|---|---|---|
| Y | Y | Y | Do nothing / Mark as matching |
| Y | Y | N | 1) Register an adjustment that debits/credits the end user if applicable. 2) Mark as matching. |
| Y | N | N | 1) IF STATUS == APPROVED: Register an adjustment that debits/credits the end user if applicable. 2) Mark as matching. |
| N | Y | N | It is not a possible use case. |
If you are trying to adjust a credit to an end user who does not have sufficient funds in their account, keep trying to get the funds from that user.
It becomes a debt between the customer and the end user.
Presentation file
Contains the details for each transaction that traders submitted the previous day.
El nombre del archivo tiene el siguiente formato: presentment_yyyy-mm-dd_<nombre cliente>_<pais>.csv
Presentation file structure
| Attribute | Description | Allowed values |
|---|---|---|
| PRESENTMENT_ID | ||
| TRANSACTION_ID | The original transaction ID the presentation generated. | |
| LOCAL_TRANSACTION_DATE_TIME | ||
| TRANSACTION_TYPE | Indicates the transaction type. | PURCHASE WITHDRAWAL EXTRACASH REFUND PAYMENT |
| PRODUCT_TYPE | This is the product type. | PREPAID CREDIT DEBIT |
| PROVIDER | It is the brand of the issued card. | VISA MASTERCARD |
| AFFINITY_GROUP_ID | ||
| USER_ID | Pomelo cardholder’s user ID | |
| CARD_ID | ||
| BIN | The first six or eight digits of the PAN. | |
| LAST_FOUR | The last four digits of the PAN. | |
| ORIGIN | DOMESTIC: The transaction occurred in the issuer’s country. INTERNATIONAL: The transaction was not made in the issuer’s country. | |
| MERCHANT_ID | ||
| MERCHANT_MCC | The merchant category code as defined in ISO-18245. | |
| MERCHANT_NAME | ||
| TRANSACTION_AMOUNT | The transaction value before taxes and in the original currency sent by the merchant. | |
| TRANSACTION_CURRENCY | The TRANSACTION_TOTAL currency code in [ISO_4217] (https://en.wikipedia.org/wiki/ISO_4217#Active_codes) formato ALPHA-3. | |
| SETTLEMENT_AMOUNT | The transaction value presented by the brand. | |
| SETTLEMENT_CURRENCY | The currency code of SETTLEMENT_AMOUNT in ISO_4217 ALPHA-3 format. For Argentina always show it in USD, and in the local currency for the other countries. | |
| DEBT_AMOUNT | The transaction value in the currency to be paid to Pomelo. If the sum is to be paid to Pomelo, it is always a positive value; otherwise, it will be negative. | |
| DEBT_CURRENCY | The DEBT_AMOUNT currency code in ISO_4217 ALPHA-3 format. If it is a domestic transaction it must be paid in local currency, otherwise in USD. | |
| RECONCILIATION_DATE | ||
| INTERCHANGE_FEE | Transaction commission to be applied to the exchange. | |
| INTERCHANGE_RATE | Alphanumeric value that identifies the transaction exchange rate presented by the purchaser. | |
| TAX | This is the exchange rate tax in accordance with local regulations. These values must have VAT calculated. | |
| FUNCTION_CODE | This is the presentation type. | FIRST_PRESENTMENT SECOND_PRESENTMENT_FULL SECOND_PRESENTMENT_PARTIAL |
| REVERSE_PRESENTMENT | This means that the presentation was reverted from the network. | TRUE FALSE |
| REASON_CODE | Reason for the second presentation. | |
| ICA_ACQUIRER | ||
| TAX_ID | ID asociado a los impuestos de la transacción | |
| INSTALLMENTS_GRACE_PERIOD | [OPCIONAL*] El período de gracia refiere a la cantidad de meses previo a que comiencen los pagos en cuotas. Puede ir de 0 a 99. | |
| INSTALLMENTS_QUANTITY | [OPCIONAL*] La cantidad de cuotas | |
| CURRENT_INSTALLMENT | [OPCIONAL*] Indica qué número de cuota está pagando el cliente. | |
| INSTALLMENTS_CREDIT_TYPE | [OPCIONAL*] El tipo de crédito otorgado | NO_PROMOTION WITHOUT_INTEREST WITH_INTEREST BUY_TODAY_PAY_LATER |
| USD_EXCHANGE_RATE | Which will indicate the exchange rate of Banco Nación at the close of the previous day | |
| DEBT_AMOUNT_ARS | The amount of the debt expressed in ARS, multiplying the exchange rate for the amount of the debt amount. In case the Debt Amount is already in ARS, the multiplication is not performed | |
| 3DS | Refers to the authentication outcome in the authorization message. | Ej: 0103212 |
| POINT_TYPE | Indicates the type of transaction performed. | POS ATM ECOMMERCE MOTO |
| ENTRY_MODE | It is the mode in which the card was used at the merchant's point of sale. | MAG_STRIPE CONTACTLESS OTHER UNKNOWN MANUAL CHIP CREDENTIAL_ON_FILE |
| BANKNET_REF_NUMBER | This is the network reference number. |
*_Para los clientes que operen con crédito, se agregan los datos del contrato de cuotas.
Reconciling the presentation file
Our finance team will send daily notifications for the debt owed. This will include all presentations we receive in the presentation file.
Obtaining Transaction and Presentation files
There is an SFTP server from which you can download Transaction and Presentation files.
Pomelo has two environments for SFTP servers, production and development.
To connect to the SFTP servers, first send a public key to create a user.
Here is the data to connect to each environment:
Production Environment:
Host: sftp.pomelo.la
Port: 22
User: <tu_usuario> # the one created from your public keys.Development:
Host: sftp-dev.pomelo.la
{Puerto}: 22
User: <tu_usuario> # the one created from your public keys.To create a public key, use the command applicable to your operating system:
Linux / MacOs:
1. Create an RSA Key Pair, changing the variable $Cliente to the proper name
ssh-keygen -t rsa -b 2048 -C $ClienteThe command will create a 2048-bit RSA key pair by default. You can also create a larger 4096-bit key by entering -b 4096.
The command produces this output:
Generating public/prive rsa key pair.
Enter a file to save the key (/your_home/.ssh/id_rsa):Press Enter to save the key pair in .ssh /, or specify another location.
2. Create a passphrase for your SSH key
Press Enter to leave it blank and use the key only to establish SSH connections. Enter a password for an additional layer of security.
3. Get the public key by reading the public file
cat ~/.ssh/id_rsa.pub
The key generated will start with ssh-rsa.
You can now copy and paste your public SSH key into your Shell console, or any server, to establish a secure connection.
Windows
Create SSH keys using PuTTY. Install PuTTY from the developer page: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
1. Create SSH keys using PuTTY
Install PuTTY from the developer page: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
2. Run the PuTTY SSH key generator
- Press the Windows key.
- Write puttygen.
- Right-click on
PuTTYgen. - Click
Run as administrator. - Click
Yesif the system asks youDo you want to allow this app to make changes to your device?
3. Use PuTTY to create an SSH key pair
While the PuTTY keygen tool offers several other algorithms, here is how to create RSA keys, one of the most often used:
- In the PuTTY Key Generator window, click
Build. - Move the cursor in the gray box to fill the green bar.
- Generating an SSH key pair in Putty.
- Save the public key by clicking the
Save Public Keybutton. Then choose a location to save the key and assign a name to it. - Save the private key:
- Click the
Conversionsmenu at the top. - Click Export OpenSSH Key.
- The system will ask you if you want to save a key without a password. Click
Yes. - Choose a location to save the key (usually the same folder as the public key).
- Name the key (for example, putty_key).
- Click the
Adjustments
The /transactions/adjustments/{type} endpoint allows you to make credit and debit adjustments to transactions.
A request informing you that the network (MC, VISA) forced an authorization will be sent.
Considerations
This endpoint is used during reconciliation and online flows, mainly to make adjustments during the settlement process and also in the event of returns.
Was this section helpful to you?
Notifications
This service allows notifications when a transaction is resolved, either by Pomelo or by the brand (Mastercard, Visa, etc.).
Considerations
We are waiting for a 2XX response to ensure the notification was received. Otherwise, we will send it again.