Frequently asked questions

General

The Internet Payment Gateway (IPG) is a software solution that connects a web store with a bank so that, via the Internet – through secure channels, it can transmit the customer’s sensitive card data from the web store to the bank to initiate a payment transaction and vice versa, to inform about the result of the initiated transaction.

PCI DSS (Payment Card Industry Data Security Standard) is a comprehensive set of standards produced by card payment schemes for preserving data security in card payments.

The purpose of the standard is to increase the security of card operations and protect users of card payment services. All banks and card companies, issuers and acquirers, Internet Payment Gateways and other business entities that participate in the card payment chain and receive, process, store or forward card data, regardless of the volume of business, are required to comply with the PCI DSS standard.

CorvusPay has been in compliance with the standard since 2012 and holds a PCI DSS Level 1 certificate, the highest level of compliance. Every year, we renew the certificate, which is preceded by a rigorous assessment of the system, performed under the expert supervision of recognized auditing companies (Qualified Security Assessor). Many years of certificate holding place us among the world’s best and most secure electronic payments companies.

The CorvusPay service can be contracted by web merchants or companies registered in Croatia, Bosnia and Herzegovina, Serbia and the European Union.

The transaction flow is as follows:

  • The issuing bank issues a payment card to the customer, enabling him to pay via the Internet to the merchant.
  • The transaction is processed by the Internet Payment Gateway, which sends it from the merchant to the acquirer banks to initiate a payment transaction.
  • The acquiring bank accepts the merchant’s transaction and forwards it to the card organization (Mastercard, Visa).
  • The card organization validates the information about the card and the card owner in collaboration with the bank that issued the card. The customer may also be asked to verify his identity using 3D Secure.
  • After confirming the transaction’s authenticity, the card organization and the issuing bank reply to the acquiring bank with the verification result.
  • The outcome of the payment transaction is sent to the merchant by the Internet Payment Gateway, containing the result of the payment transaction.
  • If the transaction is approved, the banks balance the accounts with one another.

Here is how fees are paid:

  • The bank, with which the merchant signed the card acquiring contract, charges the merchant a fee for acquiring.
  • The Internet Payment Gateway, with whom the merchant signed the transaction processing agreement, charges the merchant a fee for processing.
  • The issuing bank takes on the risk of non-payment; in other words, the bank assures the merchant that payment will be made if the transaction is carried out according to the guidelines. The acquiring bank charges the issuing bank a fee to cover processing expenses, fraud risk, collection risk, and any payment delays (including installment payments).

The following link will take you to the CorvusPay service’s price list. Additional fees apply for functionalities like Virtual POS, Card Storage, Pay By Link, Subscription, and others.

It is possible to complete the process in a few days. The implementation procedure moves in parallel in two directions.

Administrative issues

In order to start the card payment activation procedure, CorvusPay obtains the necessary paperwork from the merchant, which is then sent to the banks or card houses. Based on the submitted documentation, the banks’ sales teams contact the merchant and, upon signing the agreement, register the point of sale with global card schemes (Visa, Mastercard). After the application processes are completed, the banks send CorvusPay production parameters for the web store.

Integration and testing
In parallel, the merchant, assisted by CorvusPay’s guidance and support:

  • Sets mandatory content on the web store,
  • Connects a web store to CorvusPay (either by following the guidelines in the technical documentation or by using one of the pre-made plugins),
  • Runs system tests.

Once all the steps have been successfully finished and the merchant confirms that he wants to proceed with going into production, CorvusPay activates the payment parameters.

The following is how the transaction via the CorvusPay system proceeds:

  1. After choosing a product or service in the online store, the buyer selects card payment as a payment method.
  2. The buyer is taken to the CorvusPay payment form (page), where he inputs the information required to complete the card transaction.
  3. CorvusPay sends an authorization request to the acquiring bank.
  4. CorvusPay receives a response from the acquiring bank on the authorization request.
  5. Depending on the outcome of the transaction, CorvusPay sends the buyer to the merchant’s specified cancel or success URL.

Of course. All banks to which CorvusPay is connected accept one-time payments with cards of popular card brands, regardless of which bank in the world (issuer) issued the card.

The ability for online merchants to display prices in multiple currencies (a feature known as a pricing calculator) is a business decision that is independent of CorvusPay. However, pricing on the CorvusPay payment form can only be shown in the currency or currencies that are accepted by the bank or banks that the merchant has negotiated acquiring through.

CorvusPay supports the storage of card data, which enables advanced functionalities:

  • CorvusWallet: the buyer saves card data in a wallet and can use it in all web stores that support CorvusWallet as a payment method,
  • Subscription: after the buyer saves tha card data and with his prior permission, the merchant initiates the transaction when the buyer isn’t physically present behind the screen
  • Card Storage: The buyer saves card information and can only use stored cards to make payments at the online retailer where the card was stored.
  1. CorvusPay has the Pay By Link (Click and Pay) module that gives the merchant an additional payment option. It is utilized when a buyer creates an order that the merchant cannot fulfill in time, or when the merchant offers goods and services for which he does not necessarily have an online store.

Through the Merchant portal, the merchant can quickly and easily create and send the payment link to the consumer via email, SMS, Viber, WhatsApp or similar communication channel. The customer makes the payment by clicking the link, which opens the payment form and asks for his card information.

Apart from the standard feature of utilizing a link to make a payment, Reusable PayByLink enables the distribution of the same link to a greater number of users, as in marketing campaigns.

We also facilitate PayByLink Tokenization, which stores credit card information, with the permission of the buyer, as a safeguard against future charges (suitable for travel, vehicle rentals, and related industries).

3D Secure is an advanced authentication system based on buyer identity verification using SSL/TLS technologies. 3D Secure authentication of the buyer does not represent an additional obligation for the merchant during the activation and use of card payment, because it takes place during the payment process on the side of the card issuer, to which CorvusPay forwards the buyer for additional identity verification. On the bank page that issued the payment card, the buyer enters the required data to confirm his identity using a token or a password. The exchange of confidential information takes place over a secure connection, only between the card user and the bank that issued the card.

BANKS, CARDS AND CONFIGURATIONS

Through CorvusPay it is possible to make payments with all popular card brands: American Express, Dina, Diners, Discover, Maestro, Mastercard and Visa.

In addition to EUR, merchants can arrange acquiring in 40 more international currencies through Teya and Worldline.

Payments for online stores registered in Bosnia and Herzegovina and Serbia can be processed only in domicile curencies (BAM and RSD), through local acquiring banks.

If he wants to offer installment payment for cards of:

  • Zagrebačka banka, the merchant must sign a contract for card acquiring with Zagrebačka banka,
  • Privredna banka Zagreb or PBZ Card, the merchant must sign a contract for card acquiring with PBZ Card,
  • Erste Card Club, Erste&Steiermärkische Bank, Istarske kreditna banka Umag, Jadranska banka, Kentbank, Kreditna banka Zagreb, Sberbank and Slatinska banka, the merchant must sign a contract for card acquiring with Erste Card Club,
  • OTP banka, the merchant must sign a contract for card acquiring with OTP banka.

In Serbia, sales in installments is possible for Banca Intesa cards.

Assume clients are not given the option of paying in installments using the cards of banks and card companies with which the merchant has signed an agreement to allow installment transactions. In that scenario, the merchant should check the settings on his end, depending on the web platform.

If the merchant is integrated in accordance with the integration documentation, he should chec if he delivers the installment parameter in the request correctly.

If a merchant uses WooCommerce, Magento, PrestaShop or Shopify, he should check the plugin settings to see if installments are enabled.

The main acquirer is the bank to which one-time transactions with cards issued by domestic and foreign banks, with which the merchant hasn’t signed the acquiring agreement, are redirected.

The merchant chooses his main bank depending on the fees he has agreed to with the banks with which he has an acquiring agreement.

The merchant decides which transactions to submit to which banks, depending on the fees he has agreed upon with specific banks.

Every payment card has the bank’s BIN (Bank Identification Number) embedded in the card number. Based on BINs and instructions from the merchant, CorvusPay routes transactions to acquiring banks in accordance with the conditions that have been negotiated between banks and merchants.

Acquiring fees and due dates are negotiated directly between the banks and the merchant. CorvusPay is not a bank or a company that provides banking services, so it does not have access to buyer accounts and does not transfer money between accounts.

CorvusPay does not have the info about fees charged by banks for acquiring.

The merchant makes the decision on the bank or banks through which he wishes to process online card transactions. Depending on which bank or banks they choose to enter into a contract with for the card acquiring service, merchants negotiate the terms directly.

INTEGRATION AND USER ACCOUNTS

Before signing the contract, merchants can test all functionalities on a test environment. For instructions, please contact CorvusPay Customer Support.

Testing is not available if you use the Shopify platform.

 

The most typical error during integration is inaccurate signature calculation – the merchant uses the incorrect Store ID and Key, does not transmit all mandatory parameters in the correct format, sends optional parameters but does not take them into account when calculating the signature, and so on.

The order number must be unique on the test environment – this only pertains to the test environment, not to subsequent production.

 

The API certificate allows merchants to manage transactions through their backend.

Merchants can use the API to complete a pre-authorized transaction, cancel a pre-authorization, refund an authorized/completed transaction, verify the transaction status, or initiate the next payment (if the customer has previously tokenized the card). The CorvusPay integration documentation contains more information.

  1. The SSL certificate is a piece of server-side web code that helps to increase user confidence in the web address and the merchant’s website by enabling secure information exchange between website visitors and the server hosting the site. An encrypted connection to the server is provided by the SSL certificate when the web browser displays web pages. Buyer messages and personal data are safe because of the SSL certificate. SSL certificates not only increase online security but also give purchasers additional assurance because they include information proving the legitimacy of the business.

Due to the buyer entering all sensitive card information into the CorvusPay payment form, which is protected by 256-bit SSL encryption, the merchant does not come into contact with card data, is not responsible for its transfer or storage, so he or she is not required to have an SSL certificate. Additionally, all stored user data is protected by strong cryptography, using a FIPS 140-2 Level 3 certified cryptographic device.

SSL is, however, recommended to web shops, as some Internet browsers display a warning message to buyers the moment they switch from a page secured by an SSL certificate (exposed through https: //) to a page that is not secured. Although harmless, an alert message that appears when a buyer, having entered sensitive card data into the CorvusPay payment form, returns to the merchant’s online point of sale, can often be confusing and does not instill trust, which is why we recommend our clients to install an SSL certificate. If the sole purpose of having an SSL certificate is to disable the above mentioned warning message, a certificate with a minimum verification level is sufficient.

CorvusPay plugins are available for WooCommerce, Magento, PrestaShop, Hybris, and Shopify.

Links to the plugins can be found at: https://cps.corvus.hr/public/corvuspay/

The appearance of the payment form can be customized. Instructions are provided in the Merchant site user manual.

The merchants themselves, following instructions from CorvusPay, create test and production user accounts via the CorvusPay interface for merchants, known as the Merchant portal. Through the Merchant portal they have access to details about every transaction. 

CorvusPay also offers the possibility of integrating transaction management into the business logic of the merchant’s application (CRM, CMS) via API mode.

The e-mail address used to establish the account serves as the username for logging into the Merchant portal. Contact CorvusPay customer service if you need assistance determining which e-mail address you used while creating your account.

If you have forgotten your login password, click Forgot Password and follow the on-screen instructions to change it.

When logging into the Merchant portal, it is possible to activate an additional level of identity verification using an application that creates one-time codes in a few simple steps.

You need to do the following:

  • Install the FreeOTP or Google Authenticator apps from Google Play or the Apple App Store,
  • Open the application and scan the barcode or enter the key specified in the CorvusPay account settings interface -> authenticator,
  • Enter the one-time code generated by the application, then click Save to save the modifications and activate the option.

To disable the authenticator for logging into the CorvusPay site, please contact CorvusPay customer support.

By sending an invitation through the CorvusPay interface (Settings – Users – Add new user), an existing company administrator can add one or more administrators/users and assign them necessary rights.

Only after accepting the invitation provided to his email address does the newly added administrator/user become visible in the system.

According to the Cash Transaction Fiscalization Law, cards are a payment method which falls within the scope of cash payments, which means they are subject to fiscalization. CorvusPay does not offer an invoice fiscalization solution at the moment.

OPERATIONAL WORK WITH TRANSACTIONS

The following types of transactions are supported within CorvusPay:

  • Pre-authorization – the reservation of funds on the customer’s account, for which confirmation within seven days is recommended. It is often used when the merchant checks the availability of purchased goods in the warehouse before completing the transaction, i.e. deducting money from the customer’s account.
  • Completion – confirmation of pre-authorized transaction. The suggested timeframe for completing the pre-authorization is seven days. At the expiration of the pre-authorization, the reserved funds are automatically released to the buyer and the merchant is no longer able to fulfill that order. The amount in the completion request could match the pre-authorization amount or be less.
  • Authorization – a purchase that doesn’t need to be confirmed. The bank debits the customer’s account right away if it finds that there are enough funds in the account.
  • Cancellation – is used to cancel the pre-authorization if the merchant cannot deliver the ordered products or services.
  • Return – is used when authorization or completion has been completed, but the customer is unsatisfied with the product or service and wants a refund. The amount in the refund request may be equal to or less than the authorized amount.
  1. Authorization is a real-time transaction that charges the customer’s card without the need for further confirmation from the merchant.

Funds are reserved on the customer’s card through a process called pre-authorization, and the transaction is debited when the merchant verifies (completes) it. When a merchant needs to verify whether a good or service is available, they use it. The bank that issued the card determines when the pre-authorization must be completed. Debiting is not possible when the pre-authorization expires; instead, the consumer needs to complete a new transaction in order to pay. It is advised that merchants complete the pre-authorized transactions in seven days or less.

CorvusPay has no accounts and cannot transfer funds from one account to another because it is not a bank and does not provide banking services.

Banks, with which the merchant has signed an agreement for acquiring of card transactions, pay funds to the merchant’s business account. The web merchant negotiates the conditions and payment arrangements with the bank/card company directly.

If you have any concerns about the payment of funds or the payment dates, please contact the bank or banks with which you have signed the acquiring agreements.

The web store receives notification that the transaction has been completed or that the customer has abandoned the transaction via callback URLs established by the merchant and entered into the CorvusPay Merchant portal.

CorvusPay returns the customer to the success page (Success URL) after a successful transaction. CorvusPay redirects the customer to the failure page (Cancel URL) if the customer presses the cancel button on the payment form.

If the bank refuses to authorize the transaction for whatever reason, CorvusPay does not redirect the customer to the Cancel URL. In such cases, the customer returns to the payment form with the bank’s response and attempts the payment once more.

In rare circumstances, the webshop may not be notified that the transaction was successful – the consumer may stop the browser after being transferred to the success page, run out of electricity or internet connection, etc. In these cases, the merchant can use the CorvusPay site to verify the status of the transaction or, as instructed in the integration documentation, he can access the API to check the status of the transaction.

The CorvusPay merchant portal and an API call (details are given in the integration documentation) are the two ways the merchant can verify the status of a transaction.

The transaction status “Declined” indicates that, for whatever reason, the bank declined to approve the transaction. The reason for declining the transaction is indicated numerically by the Response code seen in the transaction details, next to the “Declined” status. The CorvusPay integration documentation provides details on the reasons for decline for each response code.

An unprocessed transaction is one that has not been completed since the buyer still needs to correctly authenticate himself using 3D Secure, which is done by the bank that provided the card.

The 3D Secure verification, done by the bank that issued the card, varies from bank to bank.

The cardholder should get in touch with the bank that issued the card.

The card department phone number can be usually found on the back of the card or on the bank’s website.

The merchant can activate the “Notify merchant” option through the Merchant portal.

The merchant will receive an email notification for each successful transaction if this option is activated.

Through the Merchant portal the merchant can also activate the option “Notify the cardholder”. If this option is turned on, the buyer will receive a notification by e-mail for every successful transaction.

The merchant can initiate refunds to the buyer through the Merchant portal or via an API call.

Refund requests made through the CorvusPay system may be declined by the bank for a number of reasons, such as the card having expired or the refund being rejected by the bank’s risk system. In these circumstances, the merchant should send the bank an email asking for the refund.

Through CorvusPay, the merchant only initiates a refund request to the bank.

Refunds do not depend on CorvusPay but on the bank and card brand and can last from 1-28 days.

Only merchants are eligible for customer service from CorvusPay. CorvusPay does not communicate with end buyers.

Ready to Get Started with CorvusPay?

Send an Inquiry
Scroll to Top