Settings for the Payment OK page (callback_ok)

General requirements

  • Callbacks often fail because of caching services. You should disable caching services like CloudFlare, Varnish, etc.
  • All image, link, stylesheet, and form elements must use double quotes for attributes. For example

    <img href="image.png"/>
  • To prevent fraud attempts, the callback page must not accept traffic from any source but AltaPay's gateway. AltaPay's outgoing IP address is 185.206.120.0/24(ipv6: 2a10:a200::/29). You can do this, for example, using the following .htaccess file: 

    order deny,allow

    deny from all

    allow from <valid outgoing IP address>

  • Encode the page using UTF-8, or use HTML entities.
  • The maximum size for resources, for example, HTML, images, or CSS Files is 2 MB.

  • Resources must have the appropriate content type. See Supported Resource Content Types.
  • Verify that all parameters posted to the callback page are accurate to ensure that a fraud attempt has not been made.

  • Callback URLs must only use ports 443 and 80.

Specific requirements (callback_ok)

  • Validate the order on the OK page. Don’t use another page, as this causes problems if a customer uses the back-button in the browser, and accidentally resubmits a payment. Check that the amounts (reserved, captured etc.) match your expectations. If they do not then something is wrong. In that case, perhaps put the order on hold in your system until you figure out what happened with the payment.

  • In some cases, the fail page is triggered even after a transactions was successful. For example, if a customer goes back in the browser and submits an empty form. This will not in any way invalidate the successful transaction.
  • The OK-page should display a message that the purchase succeeded
  • Both the FAIL- and the OK-page should display the content of the error_message field, if the cardholder_message_must_be_shown field has the value true.
  • The page must not contain a form for submitting the credit card info again.

  • In case of success the http response code should be 200, or if you want us to redirect the user 301, 302, 303 or 307.