eMerchantPay

Card payment gateway with 3D Secure v2 support. Processes Visa, Mastercard, and other major card schemes via the Genesis gateway. All pay-ins are submitted as sale3d transactions.

Operations: Pay-In ✓ | Pay-Out - | Webhook ✓
Processing: Synchronous or asynchronous via 3DS v2 - depending on the card issuer's challenge flow, the response may include a redirect URL for the cardholder to complete authentication before the final status is delivered via webhook.

Fields marked with * are required.

Configuration (Mozarto back office)

Field	Description
`username` *	Genesis API username
`password` *	Genesis API password
`apiKey` *	Terminal token - determines the processing route (currency, MID, risk profile). EMP issues separate tokens per route.
`siteUrl`	Fallback redirect URL for success and failure pages if `hppSuccessUrl`/`hppFailureUrl` are not supplied in the request
`webhookUrl`	Your HTTPS endpoint for transaction status updates

Pay-In

POST /v1/api/mozarto/cashier

Required header: x-user-token: Bearer <user-jwt> must be sent with every Pay-In request. See Authentication.

Request body

Field	Type	Description
`pspType` *	string	Always `"EMERCHANTPAY"`
`type` *	string	Always `"PAYIN"`
`baseamount` *	number	Amount as a decimal (e.g. `100.00`)
`currency` *	string	ISO 4217 currency code (e.g. `"EUR"`, `"USD"`, `"GBP"`)
`firstName` *	string	Cardholder first name
`lastName` *	string	Cardholder last name
`email` *	string	Cardholder email address
`phone`	string	Cardholder phone number
`card` *	object	Card details - see below
`card.pan` *	string	Card number (PAN)
`card.cvv` *	string	Card verification value
`card.expMonth` *	string	Expiry month (2 digits, e.g. `"03"`)
`card.expYear` *	string	Expiry year (4 digits, e.g. `"2027"`)
`card.cardHolderName` *	string	Name as it appears on the card
`usage`	string	Transaction description shown on the gateway. Defaults to `"Card deposit"`
`address`	object	Billing address
`address.line1`	string	Street address
`address.line2`	string	Additional street address line (apartment, suite, etc.)
`address.postalCode`	string	Postal / ZIP code
`address.city`	string	City
`address.state`	string	State or region (required for US cards)
`countryCode`	string	ISO 3166-1 alpha-2 billing country code (e.g. `"DE"`)
`browser`	object	Browser fingerprint for 3DS v2
`browser.userAgent`	string	`navigator.userAgent` - falls back to the `User-Agent` request header
`browser.acceptHeader`	string	`Accept` header sent by the browser
`browser.language`	string	`navigator.language`
`browser.colorDepth`	number	`screen.colorDepth`
`browser.screenHeight`	number	`screen.height`
`browser.screenWidth`	number	`screen.width`
`browser.timeZoneOffset`	number	`new Date().getTimezoneOffset()`
`browser.javaEnabled`	boolean	`navigator.javaEnabled()`
`hppSuccessUrl`	string	Redirect URL after successful 3DS authentication (overrides `siteUrl` from config)
`hppFailureUrl`	string	Redirect URL on failure (overrides `siteUrl` from config)
`threeDs2Control`	object	Optional 3DS v2 control overrides: `deviceType` (default `"browser"`), `challengeWindowSize` (default `"full_screen"`), `challengeIndicator` (default `"preference"`)
`threeDs2Purchase`	object	Optional 3DS v2 purchase overrides: `category` (default `"service"`)
`threeDs2MerchantRisk`	object	Optional 3DS v2 merchant-risk overrides: `shippingIndicator` (default `"digital_goods"`), `deliveryTimeframe` (default `"electronic"`), `reorderItemsIndicator` (default `"first_time"`), `preOrderPurchaseIndicator` (default `"merchandise_available"`)
`brandId`	string	Brand identifier for multi-brand setups

3DS v2 browser data: EmerchantPay requires browser fingerprinting for 3DS v2. Populate the browser object from the cardholder's browser at checkout. If omitted, Mozarto falls back to request headers where possible, but the issuer may decline the transaction or force a challenge step.

3DS v2 overrides: threeDs2Control, threeDs2Purchase, and threeDs2MerchantRisk are optional. Mozarto emits safe defaults for every field, so only send these objects to override a specific value for your risk profile.

Example request

{
  "pspType": "EMERCHANTPAY",
  "type": "PAYIN",
  "baseamount": 100.00,
  "currency": "EUR",
  "firstName": "Jane",
  "lastName": "Doe",
  "email": "player@example.com",
  "phone": "+491701234567",
  "card": {
    "pan": "4111111111111111",
    "cvv": "123",
    "expMonth": "12",
    "expYear": "2027",
    "cardHolderName": "JANE DOE"
  },
  "address": {
    "line1": "123 Main St",
    "postalCode": "10115",
    "city": "Berlin"
  },
  "countryCode": "DE",
  "browser": {
    "userAgent": "Mozilla/5.0 ...",
    "acceptHeader": "text/html,application/xhtml+xml",
    "language": "de-DE",
    "colorDepth": 24,
    "screenHeight": 900,
    "screenWidth": 1440,
    "timeZoneOffset": -60,
    "javaEnabled": false
  }
}

Card data security: Never log, store, or transmit raw card data (pan, cvv) outside of TLS-encrypted channels. The Mozarto backend does not persist raw card data - it is transmitted directly to EmerchantPay and discarded.

Response - direct approval

When the issuer approves without a challenge step:

{
  "status": "success",
  "isSuccess": true,
  "data": {
    "status": "approved",
    "redirect_url": null,
    "threeds_method_url": null,
    "transaction_id": "mozarto-abc123xyz",
    "unique_id": "emp_unique_id_456",
    "transactionId": "64a1f2b3c4d5e6f7a8b9c0d1",
    "merchantReference": "",
    "transaction_status": "APPROVED",
    "amount": 10000
  }
}

Response - 3DS challenge required

When the issuer requires cardholder authentication, redirect_url is populated:

{
  "status": "success",
  "isSuccess": true,
  "data": {
    "status": "pending_async",
    "redirect_url": "https://3ds.example.com/acs?token=abc",
    "threeds_method_url": null,
    "transaction_id": "mozarto-abc123xyz",
    "unique_id": "emp_unique_id_456",
    "transactionId": "64a1f2b3c4d5e6f7a8b9c0d1",
    "merchantReference": "",
    "transaction_status": "PENDING",
    "amount": 10000
  }
}

Redirect the cardholder to data.redirect_url to complete the 3DS challenge. The final outcome (APPROVED, DECLINED) is delivered via webhook once authentication completes.

Response - 3DS method step

Some issuers require a browser fingerprint step before the challenge. When data.redirect_url is null but data.threeds_method_url is set, EmerchantPay has returned a pending_async status with a 3DS method URL. Mozarto handles this transparently - data.redirect_url is automatically set to a Mozarto-hosted init page that drives the hidden-iframe fingerprint and then redirects to the challenge or confirmation URL.

Field	Description
`data.transactionId`	Mozarto transaction ID - use for status queries and idempotency
`data.unique_id`	EmerchantPay internal transaction identifier
`data.transaction_id`	EmerchantPay transaction ID (matches what was sent in the XML request)
`data.status`	EmerchantPay status: `approved`, `pending`, `pending_async`, `declined`, `error`
`data.transaction_status`	Mozarto normalized status: `APPROVED`, `PENDING`, `FAILED`
`data.redirect_url`	Present when the cardholder must complete a 3DS challenge - redirect here
`data.amount`	Amount in the smallest currency unit (e.g. cents)

Webhook

Mozarto calls your webhookUrl when the transaction reaches a final state.

The method field will be EMERCHANTPAY_PAYIN.

3DS async: Transactions that require a challenge step will initially resolve to PENDING. The webhook delivers the final status (APPROVED or DECLINED) once the cardholder completes or abandons the 3DS flow. Implement idempotency on your side. See Webhook Setup.

Error codes

EmerchantPay transport failures are mapped to normalized Mozarto errorCode values. Use errorCode for programmatic handling rather than parsing raw XML error strings.

Mozarto `errorCode`	PSP raw signal	When
`PSP_NOT_CONFIGURED`	Missing credentials in Mozarto back office	`username`, `password`, or `apiKey` (terminal token) not set for this company
`INVALID_PSP_CREDENTIALS`	HTTP 401 / 403, or body contains `"Authentication failed"`, `"authentication_error"`, `"Invalid credentials"`, or `"Unauthorized"`	Genesis API credentials or terminal token are wrong or expired
`PSP_TIMEOUT`	HTTP 408, or response body contains `"timeout"`	EmerchantPay did not respond in time - safe to retry
`PSP_UNAVAILABLE`	HTTP 5xx	Genesis gateway error - safe to retry with backoff
`PSP_RATE_LIMITED`	HTTP 429	Too many requests - retry after a delay
`UNKNOWN_PSP_ERROR`	Any other HTTP error or XML-level rejection	Fallback - check `data` for the raw Genesis XML response and contact support if it persists

Business rejections (HTTP 200): EmerchantPay may return HTTP 200 with data.status set to "declined" or "error" when the transaction is rejected at the card scheme or risk layer (e.g. insufficient funds, card blocked, 3DS failure). These are not transport errors and do not produce an errorCode response - the full parsed XML data is returned so you can display the appropriate message to the cardholder.

For the full list of errorCode values and retryability guidance, see Errors.

Emerchantpay

eMerchantPay#

Configuration (Mozarto back office)#

Pay-In#

Request body#

Example request#

Response - direct approval#

Response - 3DS challenge required#

Response - 3DS method step#

Webhook#

Error codes#