Skip to main content

Overview

Server-to-Server (S2S) Integration

Also known as Direct API, this integration allows your server to communicate directly with Oceanpayment's API. It is best suited for scenarios that require fully customized payment flows.

  • 🔒️ PCI DSS Compliance
  • ⚡ Seamless, Fast Payment Integration
  • 🎉 Responsive Design Across All Devices

Credit Card Integration

With this integration mode, your server will directly handle, transmit, or process Cardholder Data (CHD). As a result, your system falls under the scope of PCI DSS compliance.

  1. Your Server:Collect payment information (card number, expiry date, CVV, etc.) from the customer and securely transmit it to Oceanpayment.
  2. Oceanpayment:Receive payment information, process transactions, return results, and handle settlement with banks and card networks.

Core Compliance Requirements

Choosing this integration means the merchant agrees to fulfill the relevant PCI DSS obligations. Oceanpayment is certified PCI DSS LEVEL 1, but merchants are still responsible for their own compliance.

PartyResponsibility
OceanpaymentEnsure platform and infrastructure security; maintain PCI DSS-compliant gateway interfaces
MerchantSecure their systems, networks, applications, and handling of CHD; ensure compliance with PCI DSS

Mandatory Integration Requirements

To ensure a secure and compliant payment environment, merchants using S2S must meet the following requirements:

  1. No storage of sensitive authentication data
  • Complete magnetic stripe data, card verification codes (CAV2/CVC2/CVV2/CID), or PIN blocks must not be stored in databases, logs, or monitoring systems.
  1. Encrypted Transmission
  • All communications between the merchant server and Oceanpayment API endpoints must use strong encryption protocols.
  • Minimum: TLS 1.2 or higher. SSL and older TLS versions must be disabled.
  • Secure cipher suites must be configured, and weak algorithms disabled.
  1. PCI DSS Level 1 Certification
  • Merchants must renew their PCI certificate annually and provide an Attestation of Compliance (AOC).
  1. Quarterly ASV Vulnerability Scans
  • External vulnerability scans of all internet-facing systems (web servers, API endpoints, firewalls, etc.)
  • must be performed at least quarterly (Q1, Q2, Q3, Q4). A valid report is also required before first go-live.

Compliance Process

  1. Pre-Assessment:Review this document and evaluate if requirements can be met before integration.
  2. Technical Integration:Develop integration using Oceanpayment API documentation, following all security requirements.
  3. Submission & Review:Submit “qualified” ASV reports and signed PCI DSS Level 1 certificates via email for Oceanpayment review.。

Important Notes

  • Failure to submit ASV reports or PCI certificates on time may result in service suspension or a requirement to switch integration methods to ensure overall payment environment security.
  • This document provides a summary of PCI DSS requirements; official documentation from the PCI Security Standards Council takes precedence.

Next Steps

If you accept these requirements and plan to proceed, contact us via email. Our Technical Account Manager will provide full API documentation and test credentials. For questions regarding compliance or integration, reach us at: techservice@oceanpayment.com.cn

Local Payment Integration

How It Works

Info

Local payments (excluding credit cards) do not collect card information and are not subject to PCI DSS. Supported direct integrations include Apple Pay, Google Pay, WeChat Pay, and Alipay.

Apple Pay & Google Pay Integration

Merchants must register official ApplePay and GooglePay developer accounts. Obtain the Payment Token and include it in your S2S request to Oceanpayment.

Flow Diagram

  1. Submits the required parameters using the direct API (S2S) mode. The pay_accountNumber parameter should contain the card information token returned by Apple Pay or Google Pay. methods enum: ApplePay, GooglePay.
cURL -X POST 'https://test-secure.oceanpayment.com/gateway/direct/pay'
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'account=995149' \
-d 'terminal=99514901' \
-d 'signValue=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b' \
-d 'backUrl=https://www.abc.com/back.php' \
-d 'noticeUrl=https://www.abc.com/notice.php' \
-d 'order_number=NO12345678' \
-d 'order_currency=USD' \
-d 'order_amount=0.01' \
-d 'methods={methods}' \
-d 'order_notes=' \
-d 'pay_accountNumber={"paymentData":{"data":"P/Qqc9AoboM0V9smWAWuYJO2hA5eOEQMkeuLAP/n6UkOobJHMGlDYNYRJOVTZKjQXvkjBuppGVppuM5kOYBrjJx3eKqhecZrNykGlooocdHKkp6BdRsjNH7rDOwht9IurY0dcP/ZIXycjujtH+l0c+Ez/+bEnvKMuU/0P83pz8OL5NEiXt0OJAux7M1ek1hw6+9cUZAdH6OW0Jlpxc08cZFqIdm4ETmaPoAm8Vf1+PDUb7qYCvlRCr0S09oEkX0MlrtgNBcbiIIAQijM9c16uwg/jL6HT7DXcVhOQEx7PLbshl4mnWE8m3ezpUgzB5q/2lOcVqE0W2VggrW/P3xdabnIsGUPc9trqDn5lVM02XUBfA3AHvc49DJKoNxn2X4m0wlha95CUayQImZxRQ==","signature":"MIAGCSqGSIb3DQEHAqCAMIACAQExDTALBglghkgBZQMEAgEwgAYJKoZIhvcNAQcBAACggDCCA+MwggOIoAMCAQICCEwwQUlRnVQ2MAoGCCqGSM49BAMCMHoxLjAsBgNVBAMMJUFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xOTA1MTgwMTMyNTdaFw0yNDA1MTYwMTMyNTdaMF8xJTAjBgNVBAMMHGVjYy1zbXAtYnJva2VyLXNpZ25fVUM0LVBST0QxFDASBgNVBAsMC2lPUyBTeXN0ZW1zMRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMIVd+3r1seyIY9o3XCQoSGNx7C9bywoPYRgldlK9KVBG4NCDtgR80B+gzMfHFTD9+syINa61dTv9JKJiT58DxOjggIRMIICDTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCPyScRPk+TvJ+bE9ihsP6K7/S5LMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuYXBwbGUuY29tL29jc3AwNC1hcHBsZWFpY2EzMDIwggEdBgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FwcGxlYWljYTMuY3JsMB0GA1UdDgQWBBSUV9tv1XSBhomJdi9+V4UH55tYJDAOBgNVHQ8BAf8EBAMCB4AwDwYJKoZIhvdjZAYdBAIFADAKBggqhkjOPQQDAgNJADBGAiEAvglXH+ceHnNbVeWvrLTHL+tEXzAYUiLHJRACth69b1UCIQDRizUKXdbdbrF0YDWxHrLOh8+j5q9svYOAiQ3ILN2qYzCCAu4wggJ1oAMCAQICCEltL786mNqXMAoGCCqGSM49BAMCMGcxGzAZBgNVBAMMEkFwcGxlIFJvb3QgQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE0MDUwNjIzNDYzMFoXDTI5MDUwNjIzNDYzMFowejEuMCwGA1UEAwwlQXBwbGUgQXBwbGljYXRpb24gSW50ZWdyYXRpb24gQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8BcRhBnXZIXVGl4lgQd26ICi7957rk3gjfxLk+EzVtVmWzWuItCXdg0iTnu6CP12F86Iy3a7ZnC+yOgphP9URaOB9zCB9DBGBggrBgEFBQcBAQQ6MDgwNgYIKwYBBQUHMAGGKmh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDQtYXBwbGVyb290Y2FnMzAdBgNVHQ4EFgQUI/JJxE+T5O8n5sT2KGw/orv9LkswDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS7sN6hWDOImqSKmd6+veuv2sskqzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZXJvb3RjYWczLmNybDAOBgNVHQ8BAf8EBAMCAQYwEAYKKoZIhvdjZAYCDgQCBQAwCgYIKoZIzj0EAwIDZwAwZAIwOs9yg1EWmbGG+zXDVspiv/QX7dkPdU2ijr7xnIFeQreJ+Jj3m1mfmNVBDY+d6cL+AjAyLdVEIbCjBXdsXfM4O5Bn/Rd8LCFtlk/GcmmCEm9U+Hp9G5nLmwmJIWEGmQ8Jkh0AADGCAYkwggGFAgEBMIGGMHoxLjAsBgNVBAMMJUFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUwIITDBBSVGdVDYwCwYJYIZIAWUDBAIBoIGTMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDYxNTE4MTEyNVowKAYJKoZIhvcNAQk0MRswGTALBglghkgBZQMEAgGhCgYIKoZIzj0EAwIwLwYJKoZIhvcNAQkEMSIEIOJeTHZ2H9xXAJKK1CfbRy5MzMtkUh2yOAG3yv9f247IMAoGCCqGSM49BAMCBEgwRgIhAIMU0Xq6PsvQLlM/URqtkQjjwWibaFQVLhe4H0m9nXpNAiEAvYABRkpGwM9Uo8UAU+KQgKIdkO9IXcciWyGo93SQQvMAAAAAAAA=","header":{"publicKeyHash":"LfT8NhajbyOZdSZ5fWF9tJjQk9ZUoy+CnI5PZsD/e7M=","ephemeralPublicKey":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExekguuW80+zLuywKufjWwQpasFSw11HrGbjBqZx7PXI0wpY2JOWRZ26OMSUvyBJKP43gqJZny7+dw1xDxq2bBw==","transactionId":"8d31b7aef561befa41d5a881918983a6fbecb0f399a490ef15bc1dc50fe2c890"},"version":"EC_v1"},"paymentMethod":{"displayName":"MasterCard 0049","network":"MasterCard","type":"credit"},"transactionIdentifier":"8d31b7aef561befa41d5a881918983a6fbecb0f399a490ef15bc1dc50fe2c890"}' \
-d 'billing_firstName=test' \
-d 'billing_lastName=test' \
-d 'billing_email=test@gmail.com' \
-d 'billing_phone=13800138000' \
-d 'billing_country=US' \
-d 'billing_state=AL' \
-d 'billing_city=Washington D.C.' \
-d 'billing_address=705A big Road' \
-d 'billing_zip=529012' \
-d 'billing_ip=127.0.0.1' \
-d 'productNum=1' \
-d 'productName=Red Dress' \
-d 'productSku=#001' \
-d 'productPrice=0.01' \
  1. Check the pay_url field in the payment response to determine if 3D Secure is required:
<?xml version="1.0" encoding="UTF-8"?>
<response>
    <notice_type>transaction</notice_type>
    <push_dateTime>2025-12-19 09:52:47</push_dateTime>
    <account>995149</account>
    <terminal>99514901</terminal>
    <signValue>D6315600AE0002C1468DC9B943E17E90B314E73581393ABC332B92985E41B100</signValue>
    <methods>GooglePay</methods>
    <order_number>NO12345678</order_number>
    <card_country>PL</card_country>
    <order_currency>USD</order_currency>
    <order_amount>0.01</order_amount>
    <order_notes></order_notes>
    <card_number>411111***1111</card_number>
    <card_type>Visa</card_type>
    <payment_country></payment_country>
    <payment_id>231219095247018026021</payment_id>
    <payment_authType>3</payment_authType>
    <payment_status>-1</payment_status>
    <payment_details>80093:3D Authorized Service not completed</payment_details>
    <payment_solutions></payment_solutions>
    <payment_risk></payment_risk>
    <payment_amount></payment_amount>
    <payment_exchangeRate></payment_exchangeRate>
    <auth_reason></auth_reason>
    <auth_code></auth_code>
    <pay_userId></pay_userId>
    <pay_url>https://test-secure.oceanpayment.com:443/gateway/direct/redirect?pay_id=2dfb964bb67134ba6ed72183a4eecfc5f35f4364745f75e12f50f33b6ac74ef8</pay_url>
</response>
  • If pay_url is empty, no 3D verification is required; the response is the final payment result. This will trigger noticeUrl asynchronous notification.
  • If pay_url is not empty, redirect the customer to the pay_url to complete 3D verification. The payment result will be sent again to backUrl (default via POST), and noticeUrl asynchronous notification is triggered.
    • Merchants redirect users to pay_url:
HTTP/1.2 301 Moved Permanently
Location: {pay_url}
  1. Check the payment status via noticeUrl to confirm the final transaction result.

Signature

Detailed signature and verification information is available in the Signature & Verification section.