Do I need PCI certification?

Developers

Server-to-Server Integration

PAYIN S2S — POST /api/s2s with public_key, terNO, and card details. 3DS via authurl.

Overview

Server-to-server integration posts payment data from your backend to BoxCharge. Use Simple S2S (JSON) or Encrypted S2S (AES-256-CBC). Full reference: /developers/api-reference

Integration

Integration Flow

1. Prepare credentials

Obtain baseUrl, terNO, public_key (and private_key for encrypted mode).

2. POST /api/s2s

Send bill_amt, reference, mop, card fields, webhook_url, return_url.

3. Handle 3DS + webhook

Redirect to authurl; confirm final status via webhook_url.

Sample

Request / Response

POST /api/s2s

POST https://api.boxchrge.com/api/s2s
Content-Type: application/json

{
  "reference": "1DEVJAVA250422",
  "public_key": "YOUR_TERMINAL_PUBLIC_KEY",
  "terNO": 42,
  "bill_amt": "124.80",
  "bill_currency": "EUR",
  "mop": "CC",
  "ccno": "4111111111111111",
  "ccvv": "123",
  "month": "01",
  "year": "30",
  "webhook_url": "https://merchant.com/hooks/bx",
  "return_url": "https://merchant.com/return"
}

// Response → redirect customer to authurl for 3DS

Authentication

Bearer token plus optional IP allow-listing for production keys.

Security Notes

• S2S with raw card data requires PCI scope on the merchant side.
• Tokenized S2S flows are preferred where supported.
• All payloads are encrypted in transit.

Notes

Implementation Notes

• Prefer tokenized S2S over raw PAN where possible.
• Handle 3DS challenge redirects on the merchant side.
• Persist payment IDs for reconciliation.

FAQ

Developer FAQ

S2S with raw card data requires appropriate PCI scope. Tokenized flows reduce that scope.

Start Building With BoxCharge

Request Integration Access