ČSOB API Developer portal

This API allows to update standing order.

Step 1: Use the access token with the scope PISP
Obtaining access token can be based on SCA by OAuth 2.0 Authorization code grant flow (SCA) or on OAuth 2.0 Client credentials grant flow (Token by secret). See Authorization API section.

Step 2: Initiate standing order update
Initiate PUT request for Standing order update with valid access token and OrderId of existing standing order:

Standing order update Version1

URL LIVE URL SANDBOX

PUT https://api.csob.sk/pisp/api/v1/payments/standingOrder/{orderid}/sba PUT https://api.csob.sk/pisp-test/api/v1/payments/standingOrder/{orderid}/sba

This service allows to update Standing order in JSON format. Only EUR payments within SEPA area are allowed (excluding Switzerland and Monaco). Fields, where value is requested to be removed, must be sent with empty value (e.g. endDate). New values for fields which can not be updated will be ignored. On API Explorer web site there is a possibility to test the API online (Try it) and download API definition (WADL, Open API).

Request:

Header

Attributes structure	Optionality	Type	Description
Content-Type	Mandatory	String	application/json;charset=UTF-8
Authorization	Mandatory	String	Authorization is defined in RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
Request-ID	Mandatory	String	A unique identifier of a particular request message. Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).
Correlation-ID	Optional	String	A unique correlation identifier correlates the request and the response messages as a pair especially useful for audit logs. Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).
Process-ID	Optional	String	Identifier of a business or technical process to what the set of requests and response pairs are organized (e.g. paging of transaction history should have same ProcessID). Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).
PSU–IP-Address	Mandatory	String	Identifier of a customer’s IP address from which he/she is connected to the TPP infrastructure. It might be in the format of IPv4 o IPv6 address. ASPSP shall indicate which values are acceptable.
PSU-Device-OS	Mandatory	String	A customer’s device and/or operating system identification from which he/she is connected to the TPP infrastructure.
PSU-User-Agent	Mandatory	String	A customer’s web browser of other client device identification from which he/she is connected to the TPP infrastructure. Agent header field of the http request between PSU and TPP.)
PSU-GeoLocation	Optional	String	The GPS coordinates of the current customer’s location in the moment of connection to the TPP infrastructure. (Required GPS format: Latitude, Longitude)
PSU-Last-Logged-Time	Optional	DateTime	Last date and time when user was logged to TPP app (RFC3339 format).

Body

Attributes structure
Level 1	Level 2	Optionality	Type	Description
instructionIdentification		Mandatory	String [200]	Technical identification of the payment generated by a PISP (or PSU).
creationDateTime		Optional	DateTime	The date and time in RFC3339 format at which a particular action has been requested or executed.
creditor	name	Optional	String [70]	Creditor name (first name and surname in case of individual persons or company name)
creditor	addressLine1	Optional	String [35]	Creditor address. Example: Street and number
creditor	addressLine2	Optional	String [35]	Creditor address. Example: Town
instructedAmount	value	Optional	Number Float [9.2]	Transaction amount value. Numeric value of the amount as a fractional number. The fractional part has a maximum of two digits.
instructedAmount	currency	Optional	String[3]	Transaction amount currency. Formated in Alphabetic codes from ISO 4712. Only EUR is allowed.
endToEndIdentification		Optional	String [35]	Unique identification defined by a requestor (PSU)
remittanceInformation		Optional	String [140]	The text aimed as the information for a receiver of the transaction.
standingOrderName		Optional	String [40]	Standing order name.
endDate		Optional	Date	Expiry date of the standing order. If it is not present, validity of standing order is not limited. If it is to be updated, it should be at least nextDate + 1

Response:

Header

Attributes structure	Optionality	Type	Description
Content-Type	Mandatory	String	application/json
Response-ID	Mandatory	String	An unique identifier of a particular request message. Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Ifentifier (UUID) version 4 form (RFC4122).
Correlation-ID	Optional	String	A unique correlation identifier correlates the request and the response messages as a pair especially useful for audit logs. Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).
Process-ID	Optional	String	Identifier of a business or technical process to what the set of requests and response pairs are organized (e.g. paging of transaction history should have same ProcessID). Although it may be arbitrary string, it is strongly recommended to use a Universally Unique Identifier (UUID) version 4 form (RFC4122).

Body

Attributes structure	Optionality	Type	Description
orderId	Mandatory	String	OrderId is Unique reference, as assigned by the account servicing institution, to unambiguously identify the instruction. This ID is needed to be present in further requests
status	Mandatory	Enum	Transaction status indicator is enumeration: - ACTC (AcceptedTechnicalValidation) - ACWC (AcceptedWithChange) - RJCT (Rejected)
reasonCode	Optional	Enum	ISO 20022 Reason Code*
statusDateTime	Mandatory	DateTime	The date and time in RFC3339 format at which a particular action has been requested or executed.
request	Optional	String	Signed JWT - security mitigation for unauthorized payment request changes Not used in CSOB

Example:

Request

PUT https://api.csob.sk/pisp/api/v1/payments/standingOrder/SO4gGLA3RxzfYtHHo4c/sba HTTP/1.1
Accept-Encoding: gzip,deflate
Authorization: nfLnmy5hGQrNKbPnfAasw2FDVw4fw6kWjVapMVa9zJw8emNvTU
Request-ID: 9325947864
Correlation-ID: 7783462056
Process-ID: 1070346244
PSU-IP-Address: 192.168.88.1
PSU-Device-OS: Windows
PSU-User-Agent: Chrome
PSU-Geo-Location: 2.050279, 45.338591
PSU-Last-Logged-Time: 2021-03-03T14:36:04+01:00
Content-Type: application/json;charset=UTF-8
Content-Length: 485
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5) 
{
  "instructionIdentification": "06445355860603744289496318701508453",
  "creditor": {
    "name": "JRD2 s.r.o ",
    "addressLine1": "PO BOX 55",
    "addressLine2": ""
  },
  "instructedAmount": {
    "value": 0.18,
    "currency": "EUR"
  },
  "endToEndIdentification": "/VS1234567890/SS9876543210/KS0308",
  "remittanceInformation": "Sprava pre prijemcu - zmena",
  "standingOrderName": "JRD 2 trvaly prikaz - zmena",
  "endDate": ""
}

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: 67rBbafXzazKxC9aC9QEhfMTd7e73n3H
Process-ID: 1070346244
Correlation-ID: 7783462056
Response-ID: 9325947864
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 19 Mar 2019 07:10:48 GMT 
{
    "orderId": "hnP6t7lb7xe2XdA4c",
    "status": "ACTC",
    "statusDateTime": "2021-03-04T14:36:06+01:00"
}

Step 3: Redirect to CSOB for Strong Customer Authentication (SCA) and standing order update authorization.
In redirect link, there must be Order ID obtained in Step 2. SCA and standing order update authorization is realized by client in bank environment using credentials issued by the bank (see section API Authorization/SCA). After this procedure, client is redirected back to third party application. In redirect link, there is an authorization code, which must be used in next step.

Step 4: Exchange authorization code for access token
Initiate POST request for Authorization code with a code obtained in Step 3. For details see Authorization API/Authorization code section. In response, there is an access token, which is binded to specific request and must be used in next step to submit the standing order update.

Step 5: Submit authorized standing order update.
Initiate POST request for Standard payment submission with valid access token obtained in Step 4. For Details see Payment initiation API (PISP) / Standard payment submission section.