World Pay (XML Direct)

About World Pay:

Our story started in 1989 with the launch of Streamline. The business at this point was a simple UK-based electronic payment provider that focused on point of sale transactions.

Worldpay emerged later as one of the first online payment companies in the UK. And in 2002, RBS brought them together – though they continued to operate as separate brands.

Over the next eight years, the business continued to grow organically with the acquisition of Lynk, TrustMarque International, Bibit, and Cardsave.

By 2010, Worldpay had become the largest merchant acquirer in Europe – and one of the largest globally.

Merchants who collect and store their shoppers’ payment details on their own platform can use the XML Direct model as an effective payment-processing gateway. With this model, the
The merchant collects both order and payment details and then communicates the relevant payment details on a per order basis with WorldPay, for processing.
The benefits of using the Direct Method for the merchant include being able to retain full control over the payment process and also the payment pages displayed to shoppers.
However, for this method to work successfully, it is important that the merchant ensures their own system operates within a secure environment so that payment details, which they collect and store, are protected. In view of the cost involved in establishing appropriate security
measures, this model only applies to merchants with established high transaction volumes.

Implemented Features:

Feature Level of Support
Auth Implemented
Sale (Auth+Capture) Implemented
Capture Implemented
Void Implemented
Credit Implemented
Send XML Implemented
3DS 2 Full Integration Implemented
Credentials on File Implemented

Authentication and Security Credentials:

  • Username
  • Password

Supported Parameters:

Key Name Format Mandatory Descriptions
apiVersion Numerical Required “1.0.1”
apiType Alphabetical Required “pxyhpci”
userName Alphanumeric Required API Username
userPassKey Alphanumeric Required API PassKey
pxyCreditCard.creditCardNumber Numerical Required HostedPCI Token Representing Credit Card
pxy.CreditCard.cardCodeVerification Numerical Optional HostedPCI Token Representing CVV Code
pxyCreditCard.expirationMonth Numerical Required Expiration month with 2 digits for example, for December use “12”
pxyCreditCard.expirationYear Numerical Required Expiration year with 4 digits for example, for 2025, use “2025”
pxyTransaction.txnCurISO Alphabetical Required 3 letter ISO Currency Code for example, “USD” or “CAD”
pxyTransaction.txnAmount Numerical Required Amount to Authorize, for example for $10.50 use 10.50
pxyTransaction.merchantRefId Numerical Required Merchant reference number can be order id or invoice id
pxyTransaction.txnPayName Alphanumeric Required HostedPCI payment profile name, for example “DEF”
pxyTransaction.txnComment Alphabetical Optional Short comment Alphanumeric Optional Customer’s Email Address
pxyCustomerInfo.customerIP Numerical Optional Customer’s IP Address
pxyCustomerInfo.sessionId Numerical Optional World Pay Session ID
pxyCustomerInfo.billingLocation.firstName Alphabetical Optional Customer’s First Name
pxyCustomerInfo.billingLocation.lastName Alphabetical Optional Customer’s Last Name
pxyCustomerInfo.billingLocation.address Alphanumeric Required Customer’s Billing Address Alphabetical Required Customer’s Billing City
pxyCustomerInfo.billingLocation.zipCode Numerical Required Customer’s Billing Zip Code or Postal Code Alphabetical Required Customer’s Billing Country

API Endpoint URL:


API Request Body:


World Pay (XML Direct) offers 3DS 1.0 and 3DS 2.0 authentication feature:

3d Secure 1.0 WorldPay Implementation

World Pay 1.0 “verifyenroll” API Call
  • HostedPCI offers 3dSec 1.0 implementation with WorldPay.
  • In Order to make a successful verifyenroll call the following parameters are required.
pxyTransaction.txnPayName [3dsPayProfile] – Name of the 3d secure payment profile.
pxyThreeDSecAuth.actionName [verifyenroll]
pxyCustomerInfo.browserAcceptHeader [browserAcceptHeader]
pxyCustomerInfo.browserUserAgentHeader [browseruserAgentHeader]
pxyThreeDSecAuth.callMode [reportall] – will return once 3d secure has been authenticated with credentials for second API call
pxyCustomerInfo.sessionId [sessionID] – also needed in the verifyresp call
pxyCustomerInfo.billingLocation.firstName [3D] – to initiate world pay 3DSec 1.0
World Pay 1.0 “verifyresp” API Call
  • If verifyenroll call was successful it will return parameters required to make verifyresp call.
  • The following parameters are required for PIN verification call.
pxyTransaction.txnPayName [3dPayProfileName]
pxyThreeDSecAuth.actionName [verifyresp]
pxyThreeDSecAuth.authTxnId [threeDSTransactionId] – returned from the ‘verifyenroll’ call.
pxyCustomerInfo.sessionId [sessionID] – same as the verifyenroll call
pxyThreeDSecAuth.paReq [pxyResponse.threeDSPARequest] – response from the verifyenroll call
pxyThreeDSecAuth.authAcsUrl [pxyResponse.threeDSAcsUrl] – response from the verifyenroll call

WorldPay 3D Secure 2 Implementation

In order to implement 3D Secure 2, the World Pay payment profile must include these three parameters during profile setup.

Parameter Name Required Value
3DS Parameters (enable=Y;apiKey=XXX) enable=Y;apiKey=ae9715ef-99d8-4467-a3bb-8c463c10edf0;apiIdentifier=5fda1ca955f105709e269351;orgUnitId=5fda1ca94e370853219266ee;ttlMillis=0
3DS Setup Init URL
3DS Override PIN URL

3D Secure 2.0 Implementation with World Pay – “verifyenroll” API call

  • In Order to implement ThreeDSecure 2.0 with WorldPay the following parameters are required.
  • The table below contains the parameter required for the verifyenroll call.
pxyThreeDSecAuth.authSessionId [cruiseSessionId returned within threeDSValuesObj in hpciSiteSuccessHandlerV4 and later versions]
pxyThreeDSecAuth.authOrderId [threeDSOrderId returned within threeDSValuesObj in hpciSiteSuccessHandlerV4 and later versions]
pxyCustomerInfo.billingLocation.firstName [ AUTHORISED or REFUSED] – to initiate 3ds challange process
pxyCustomerInfo.browserAcceptHeader [browserAcceptHeader]
pxyCustomerInfo.browserUserAgentHeader [browserUserAgentHeader]
pxyThreeDSecAuth.callMode [reportall]
pxyTransaction.txnPayName [3dsecProfileName]
pxyThreeDSecAuth.actionName [verifyenroll]

3ds 2.0 World Pay “verifyresp” call

  • If ‘verifyenroll’ was successful it will return parameters required for verification call.
  • The table below contains parameters required to make the second auth call with worldpay 3ds 2.0.
pxyThreeDSecAuth.authTxnId [pxyResponse.threeDSTransactionId] – returned from the ‘verifyenroll’ call]
pxyTransaction.txnPayName [3dPayProfileName]
pxyThreeDSecAuth.actionName [verifyresp]
pxyThreeDSecAuth.authSessionId [same as the verifyenroll call]
pxyThreeDSecAuth.paReq [pxyResponse.threeDSPARequest] – response from the verifyenroll call
pxyThreeDSecAuth.authAcsUrl [pxyResponse.threeDSAcsUrl] – response from the verifyenroll call
pxyThreeDSecAuth.messageId [pxyResponse.threeDSMessageId] – response from the verifyenroll call

World Pay XML Direct Credentials on File:

Credentials on FIle with Bambora can be set up during the Bambora Payment profile setup. In Order to set up the Beanstream payment profile as Card on File the parameter Card On File defaults needs to be set up as enable=Y;merInitReason=R. The parameter enable=Y tells the system to income the Credentials on the FIle process. The parameter merInitReason=R will set cardOnFileTxnType to R (Recurring). It can be overridden with the parameter listed below. Otherwise, the Card on FIle process is initiated based on the availability of CVV.

World Pay XML Direct Override Parameters

pxyTransaction.cardOnFileTxnRef [0 /1] – 1 for MIT transaction
pxyTransaction.cardOnFileTxnType [C/R/U] – CIT or Reaccuring MIT or Unscheduled MIT
pxyTransaction.cardOnFileIssuerId [cardOnFile Issuer ID]