Payment order cancellation API call flow (PISP)

API history

This API allows to cancel payment order or batch payment order.


Step 1: Use the access token with the scope PISP
Obtaining access token can be based on SCA by OAuth 2.0 Authorization code grant flow (SCA) or on OAuth 2.0 Client credentials grant flow (Token by secret). See Authorization API section.


Step 2: Initiate payment order cancellation
Initiate DELETE request for Payment order cancellation with valid access token and OrderId / BatchId of existing payment order:

Payment order cancellation
Version1
URL LIVE
URL SANDBOX
DELETE https://api.csob.sk/pisp/api/v1/payments/{orderId}/rcp
DELETE https://api.csob.sk/pisp-test/api/v1/payments/{orderId}/rcp

This service allows to cancel payment order or batch payment order. Result can be checked via endpoint Payment order status or Batch payment order status. On API Explorer web site there is a possibility to test the API online (Try it) and download API definition (WADL, Open API).


Request:

Header

Attributes structure
Optionality
Type
Description
Authorization
Mandatory
String
Authorization is defined in RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
Access token from step 1 wit the scope PISP must be used.
Request-ID
Mandatory
String
A unique identifier of a particular request message. Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).
Correlation-ID
Optional
String
A unique correlation identifier correlates the request and the response messages as a pair especially useful for audit logs. Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).
Process-ID
Optional
String
Identifier of a business or technical process to what the set of requests and response pairs are organized (e.g. paging of transaction history should have same ProcessID). Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).
PSU–IP-Address
Mandatory
String
Identifier of a customer’s IP address from which he/she is connected to the TPP infrastructure. It might be in the format of IPv4 o IPv6 address.
ASPSP shall indicate which values are acceptable.
PSU-Device-OS
Mandatory
String
A customer’s device and/or operating system identification from which he/she is connected to the TPP infrastructure.
PSU-User-Agent
Mandatory
String
A customer’s web browser of other client device identification from which he/she is connected to the TPP infrastructure. Agent header field of the http request between PSU and TPP.)
PSU-GeoLocation
Optional
String
The GPS coordinates of the current customer’s location in the moment of connection to the TPP infrastructure. (Required GPS format: Latitude, Longitude)
PSU-Last-Logged-Time
Optional
DateTime
Last date and time when user was logged to TPP app (RFC3339 format).

Body

Payload is empty


Response:

Header

Attributes structure
Optionality
Type
Description
Content-Type
Mandatory
String
application/json
Response-ID
Mandatory
String
An unique identifier of a particular request message. Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Ifentifier (UUID) version 4 form (RFC4122).
Correlation-ID
Optional
String
A unique correlation identifier correlates the request and the response messages as a pair especially useful for audit logs. Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).
Process-ID
Optional
String
Identifier of a business or technical process to what the set of requests and response pairs are organized (e.g. paging of transaction history should have same ProcessID). Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).

Body

Attributes structure
Optionality
Type
Description
orderId
Mandatory
String
OrderId is Unique reference, as assigned by the account servicing institution, to unambiguously identify the instruction.
This ID is needed to be present in further requests.

Example:

Request

DELETE https://api.csob.sk/pisp/api/v1/payments/6UYrbw35CddjepCndmGE51/rcp HTTP/1.1
Accept-Encoding: gzip,deflate
Authorization: nfLnmy5hGQrNKbPnfAasw2FDVw4fw6kWjVapMVa9zJw8emNvTU
Request-ID: 6229311433
Correlation-ID: 1638941891
Process-ID: 2563188585
PSU-IP-Address: 192.168.8.1
PSU-Device-OS: linux
PSU-User-Agent: Mozila
PSU-Geo-Location: 2.050279, 45.338591
PSU-Last-Logged-Time: 2021-03-05T14:27:37+01:00
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Response

HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Length: 34
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: SemdJcbmAamshsu5Czdf398HTxG4d2ky
Process-ID: 2563188585
Correlation-ID: 1638941891
Response-ID: 6229311433
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Fri, 05 Mar 2021 13:27:40 GMT 
{
   "orderId": "XHim7JXu0YX5GtgA1kVH"
}


Step 3: Redirect to CSOB for Strong Customer Authentication (SCA) and payment order cancellation authorization.
In redirection link (parameter Request), there must be Order ID obtained in Step 2. SCA and payment order cancellation authorization is realized by client in bank environment using credentials issued by the bank (see section API Authorization/SCA). After this procedure, client is redirected back to third party application. In redirect link, there is an authorization code, which must be used in next step.


Step 4: Exchange authorization code for access token
Initiate POST request for Authorization code with a code obtained in Step 3. For details see Authorization API / Authorization Code. In response, there is an access token, which is binded to specific request and must be used in next step to submit the payment order cancellation.


Step 5: Submit authorized payment order cancellation.
Initiate POST request for Standard payment submission with valid access token obtained in Step 4. For Details see Payment initiation API (PISP) / Standard payment submission section.