SagePay Gateway Guide

close

Services and Compatibility

Payment Gateway Company Name:
SagePay UK
Services that work with Spreedly:
  • SagePay’s Direct Integration
Services that do not work with Spreedly:
  • SagePay iFrame based accounts **
  • SagePay Form based accounts
Supported operations:
Purchase, Authorize, Capture, Refund, Void, Verify
Supported payment types:
Credit Card
Spreedly 3DS2 Global Supported
No
Gateway Specific 3DS2 Supported
Yes
Populate MIT GSF Support
No
Regions:
Europe
API endpoint URL:
https://live.sagepay.com/gateway/service

Authentication and Security

Specific names for credentials:
Vendor Login Name
Additional steps needed to activate?
Yes. You’ll need to add Spreedly’s IP address to the list of valid IPs. And email us so we can contact SagePay on your behalf.

Onboarding Merchants in:

Additional Notes

** SagePay iFrame based accounts do not work with Spreedly. Please note that the “Spreedly iFrame” is supported and works well with SagePay.

The IP addresses for white listing are listed here.

Contact Spreedly when you are ready to go live. SagePay typically requires a test transaction to be run before your account can be enabled for live transactions. We can contact SagePay for you to get it all sorted without needing a test transaction; we just need to know your vendor name. This is typically a 24 hour end-to-end task.

In order to setup recurring transactions, the merchant will need to obtain a Continuous Authority merchant number from their merchant acquirer. Once you have the Continuous Authority number, you can add it to your SagePay account (https://www.sagepay.co.uk/support/12/38/adding-more-merchant-numbers).

SagePay does not support IPv6 format for customer transaction IP addresses.

Contact Spreedly to enroll in version 4.

Adding a SagePay gateway

Once you’ve got SagePay prepped, you can create a SagePay gateway like so:


curl https://core.spreedly.com/v1/gateways.xml \
  -u 'C7cRfNJGODKh4Iu5Ox3PToKjniY:4UIuWybmdythfNGPqAqyQnYha6s451ri0fYAo4p3drZUi7q2Jf4b7HKg8etDtoKJ' \
  -H 'Content-Type: application/xml' \
  -d '<gateway>
        <gateway_type>sage_pay</gateway_type>
        <login>Your Vendor Name</login>
      </gateway>'

<gateway>
  <token>4RGEQimnj4xvjjy4zjtKzJh8MKQ</token>
  <gateway_type>sage_pay</gateway_type>
  <name>SagePay</name>
  <description nil="true"/>
  <login>Your Vendor Name</login>
  <characteristics>
    <supports_purchase type="boolean">true</supports_purchase>
    <supports_authorize type="boolean">true</supports_authorize>
    <supports_capture type="boolean">true</supports_capture>
    <supports_credit type="boolean">true</supports_credit>
    <supports_general_credit type="boolean">false</supports_general_credit>
    <supports_void type="boolean">true</supports_void>
    <supports_verify type="boolean">true</supports_verify>
    <supports_reference_purchase type="boolean">true</supports_reference_purchase>
    <supports_purchase_via_preauthorization type="boolean">false</supports_purchase_via_preauthorization>
    <supports_offsite_purchase type="boolean">false</supports_offsite_purchase>
    <supports_offsite_authorize type="boolean">false</supports_offsite_authorize>
    <supports_3dsecure_purchase type="boolean">true</supports_3dsecure_purchase>
    <supports_3dsecure_authorize type="boolean">true</supports_3dsecure_authorize>
    <supports_store type="boolean">false</supports_store>
    <supports_remove type="boolean">false</supports_remove>
    <supports_fraud_review type="boolean">false</supports_fraud_review>
  </characteristics>
  <credentials>
    <credential>
      <name>login</name>
      <value>Your Vendor Name</value>
    </credential>
  </credentials>
  <gateway_specific_fields>
    <gateway_specific_field>gift_aid_payment</gateway_specific_field>
    <gateway_specific_field>apply_avscv2</gateway_specific_field>
    <gateway_specific_field>repeat</gateway_specific_field>
    <gateway_specific_field>account_type</gateway_specific_field>
  </gateway_specific_fields>
  <payment_methods>
    <payment_method>credit_card</payment_method>
  </payment_methods>
  <state>retained</state>
  <redacted type="boolean">false</redacted>
  <created_at type="dateTime">2019-03-28T18:57:22Z</created_at>
  <updated_at type="dateTime">2019-03-28T18:57:22Z</updated_at>
</gateway>

Gateway Specific 3D Secure 2

With the latest SagePay API version all transaction are in scope for 3DS2. The following fields are required when using gateway specific 3DS2 on SagePay.

  • browser_info
    • accept_header
    • language
    • user_agent
    • java # if true the below fields are required
      • height
      • depth
      • width
      • timezone
    • browser_size

For more detailed information to the 3DS2 gateway specific, refer to this documentation

Stored Credentials

For SagePay gateway, sending stored credential fields can be done using Spreedly’s first class support. Sending stored credential data is simple. For any Authorize, Purchase, or Verify request, you need to include these fields which tell Spreedly a little bit more about the nature of the transaction:

Field Description Required by stored_credential_reason_type
recurring_expiry Date the agreement expires in YYYY-MM-DD. recurring & installment
recurring_frequency Number of days between charges (ex: an annual renewal is 365). recurring & installment
installment_data Number of payments required to complete installment. installment

Learn more about how Spreedly enables seamless use of stored credentials by reviewing our Stored Credentials Guide.

Gateway Specific Fields

When interacting with a SagePay gateway to run transactions, there are some gateway specific fields you can specify when making a purchase or authorize call.

SagePay allows you to specify an optional gift_aid_payment field to indicate that the payment is a Gift Aid charitable donation and the customer has agreed to donate the tax. SagePay also allows you to fine tune the AVS/CV2 checks and rule set you’ve defined at a transaction level using the apply_avscv2 field. This is useful in circumstances where direct and trusted customer contact has been established and you wish to override the default security checks.

SagePay allows you to specify an optional account_type field used to select which merchant account to use.

These fields can be specified like so:


curl https://core.spreedly.com/v1/gateways/LlkjmEk0xNkcWrNixXa1fvNoTP4/purchase.xml \
  -u 'C7cRfNJGODKh4Iu5Ox3PToKjniY:4UIuWybmdythfNGPqAqyQnYha6s451ri0fYAo4p3drZUi7q2Jf4b7HKg8etDtoKJ' \
  -H 'Content-Type: application/xml' \
  -d '<transaction>
        <payment_method_token>56wyNnSmuA6CWYP7w0MiYCVIbW6</payment_method_token>
        <amount>100</amount>
        <currency_code>USD</currency_code>
        <gateway_specific_fields>
          <sage_pay>
            <gift_aid_payment>1</gift_aid_payment>
            <apply_avscv2>1</apply_avscv2>
            <repeat>true</repeat>
            <account_type>E</account_type>
          </sage_pay>
        </gateway_specific_fields>
      </transaction>'

<transaction>
  <on_test_gateway type="boolean">true</on_test_gateway>
  <created_at type="dateTime">2024-01-30T18:11:50Z</created_at>
  <updated_at type="dateTime">2024-01-30T18:11:50Z</updated_at>
  <succeeded type="boolean">true</succeeded>
  <state>succeeded</state>
  <token>EsmwgyOxn6SVDDQxLPT2iktQ1Pm</token>
  <transaction_type>Purchase</transaction_type>
  <order_id nil="true"/>
  <ip nil="true"/>
  <description nil="true"/>
  <email nil="true"/>
  <merchant_name_descriptor nil="true"/>
  <merchant_location_descriptor nil="true"/>
  <merchant_profile_key nil="true"/>
  <gateway_specific_fields>
    <sage_pay>
      <gift_aid_payment>1</gift_aid_payment>
      <apply_avscv2>1</apply_avscv2>
      <repeat>true</repeat>
      <account_type>E</account_type>
    </sage_pay>
  </gateway_specific_fields>
  <gateway_specific_response_fields>
  </gateway_specific_response_fields>
  <gateway_transaction_id>61</gateway_transaction_id>
  <sub_merchant_key nil="true"/>
  <gateway_latency_ms type="integer">1</gateway_latency_ms>
  <warning nil="true"/>
  <application_id nil="true"/>
  <amount type="integer">100</amount>
  <local_amount nil="true"/>
  <currency_code>USD</currency_code>
  <retain_on_success type="boolean">false</retain_on_success>
  <payment_method_added type="boolean">false</payment_method_added>
  <smart_routed type="boolean">false</smart_routed>
  <stored_credential_initiator nil="true"/>
  <stored_credential_reason_type nil="true"/>
  <stored_credential_alternate_gateway nil="true"/>
  <populate_mit_fields type="boolean">false</populate_mit_fields>
  <message key="messages.transaction_succeeded">Succeeded!</message>
  <gateway_token>T11bJAANtTWnxl36GYjKWvbNK0g</gateway_token>
  <gateway_type>test</gateway_type>
  <shipping_address>
    <name>Newfirst Newlast</name>
    <address1 nil="true"/>
    <address2 nil="true"/>
    <city nil="true"/>
    <state nil="true"/>
    <zip nil="true"/>
    <country nil="true"/>
    <phone_number nil="true"/>
  </shipping_address>
  <response>
    <success type="boolean">true</success>
    <message>Successful purchase</message>
    <avs_code nil="true"/>
    <avs_message nil="true"/>
    <cvv_code nil="true"/>
    <cvv_message nil="true"/>
    <pending type="boolean">false</pending>
    <result_unknown type="boolean">false</result_unknown>
    <error_code nil="true"/>
    <error_detail nil="true"/>
    <cancelled type="boolean">false</cancelled>
    <fraud_review nil="true"/>
    <created_at type="dateTime">2024-01-30T18:11:50Z</created_at>
    <updated_at type="dateTime">2024-01-30T18:11:50Z</updated_at>
  </response>
  <api_urls>
  </api_urls>
  <payment_method>
    <token>1rpKvP8zOUhj4Y9EDrIoIYQzzD5</token>
    <created_at type="dateTime">2017-06-26T17:04:38Z</created_at>
    <updated_at type="dateTime">2024-01-29T17:57:02Z</updated_at>
    <email>joey@example.com</email>
    <data>
      <my_payment_method_identifier>448</my_payment_method_identifier>
      <extra_stuff>
        <some_other_things>Can be anything really</some_other_things>
      </extra_stuff>
    </data>
    <storage_state>retained</storage_state>
    <test type="boolean">true</test>
    <metadata>
      <key>string value</key>
    </metadata>
    <callback_url nil="true"/>
    <last_four_digits>1111</last_four_digits>
    <first_six_digits>411111</first_six_digits>
    <card_type>visa</card_type>
    <first_name>Newfirst</first_name>
    <last_name>Newlast</last_name>
    <month type="integer">3</month>
    <year type="integer">2032</year>
    <address1 nil="true"/>
    <address2 nil="true"/>
    <city nil="true"/>
    <state nil="true"/>
    <zip nil="true"/>
    <country nil="true"/>
    <phone_number nil="true"/>
    <company nil="true"/>
    <full_name>Newfirst Newlast</full_name>
    <eligible_for_card_updater type="boolean">true</eligible_for_card_updater>
    <shipping_address1 nil="true"/>
    <shipping_address2 nil="true"/>
    <shipping_city nil="true"/>
    <shipping_state nil="true"/>
    <shipping_zip nil="true"/>
    <shipping_country nil="true"/>
    <shipping_phone_number nil="true"/>
    <issuer_identification_number nil="true"/>
    <click_to_pay type="boolean">false</click_to_pay>
    <managed nil="true"/>
    <payment_method_type>credit_card</payment_method_type>
    <stored_credential_usage>
      <test>
        <original_network_transaction_id>37be5367d6dbe4a88c9d</original_network_transaction_id>
        <network_transaction_id>37be5367d6dbe4a88c9d</network_transaction_id>
      </test>
    </stored_credential_usage>
    <errors>
    </errors>
    <verification_value></verification_value>
    <number>XXXX-XXXX-XXXX-1111</number>
    <fingerprint>e3cef43464fc832f6e04f187df25af497994</fingerprint>
  </payment_method>
  <attempt_3dsecure type="boolean">false</attempt_3dsecure>
</transaction>

Please refer to using a payment method for more information on how to send GSFs

Gateway Specific Response Fields

A response from the SagePay gateway may contain the security_key, vps_auth_code, bank_auth_code, and decline_code fields, which you can find in the gateway_specific_response_fields. For example, a transaction response could look something like this:

<transaction>
  <token>LgpTNGjsWQs9DwdxcbreUVz0R8p</token>
  <transaction_type>Purchase</transaction_type>
  <gateway_specific_response_fields>
     <sage_pay>
       <security_key>abc123</security_key>
       <vps_auth_code>abc123</vps_auth_code>
       <bank_auth_code>abc123</bank_auth_code>
       <decline_code>05</decline_code>
     </sage_pay>
  </gateway_specific_response_fields>
</transaction>