Orange Money PSD2

REGISTRATION:

In order to register yourself as an official TPP partner with OMY. You need to send the following details to psd2.orangemoney@orange.com:

  • Return Urls in case of changes in SCA approach in the future.
  • A way to get the public key (in certificate form) with which you will sign the jwt tokens used for oAuth service.
  • Official name with which you want to be registered. Keep in mind that this will be displayed to the user when authorizing your requests.

SUMMARY:

General steps for a successful flow

1. Get authorization token

Get Authorization token from authentication server with the given credentials after registration.

Ensure that the appropriate scope is requested in the authorization token:

  • PIS: "payments"
  • AIS: "accounts"
2. Initiate

Use the above appropriate scope token to initiate an account information consent(AIS) or a payment request(PIS):

3. Status Of Request

Use the "/status" endpoints for both AIS and PIS to see the status of your request. The statuses available are the one described in the PSD2 Specification.

4. Account Information Access

In case of AIS requests these are the resource endpoints available to a tpp once the user has approved the initial consent request.

AIS:

Account Information Consent Request

BasePath:
“/mfs-psd2-pis”
Endpoint:
POST /v2/consents

Creates an account information consent resource at the ASPSP regarding access to account specified in this request.

Query Parameters:

No request body

Request Header:
Attribute Type Condition Description
x-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Authorization String Mandatory OAuth token.
TPP-Redirect-URI String Mandatory URI of the TPP, where the transaction flow shall be redirected to after a Redirect.
Request Body:
Attribute Type Condition Description
access Account Access Mandatory
recurringIndicator Boolean Mandatory true, if the consent is for recurring access to the account data false, if the consent is for one access to the account data
validUntil ISODate Mandatory This parameter is requesting a valid until date for the requested consent. The content is the local ASPSP date in ISODate Format, e.g. 2017-10-30. If a maximal available date is requested, a date in far future is to be used: "9999-12-31". The consent object to be retrieved by the GET Consent Request will contain the adjusted date.
frequencyPerDay Integer Mandatory This field indicates the requested maximum frequency
Response Codes:

201 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

502 BAD GATEWAY - Error Response Code | failure from other services in the OMY ecosystems

Response Header:
Attribute Type Condition Description
Location String Mandatory Location of the created resource
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
ASPSP-SCA-Approach UUID Mandatory REDIRECT
Response Body:
Attribute Type Condition
consentStatus Consent Status Mandatory
consentID String Mandatory
balances Balances Optional

Consent Staus

BasePath:
“/mfs-psd2-pis”
Endpoint:
GET /v2/consents/{consentId}/status

Gets the consent status for AIS.

Query Parameters:

No request body

Path Variables:
Attribute Type Description
consentId String Consent id received on initiation.
Request Header:
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Authorization String Mandatory OAuth token.
Response Codes:

200 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

502 BAD GATEWAY - Error Response Code | failure from other services in the OMY ecosystems

Response Header:
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Response Body:
Attribute Type Condition
consentStatus Consent Status Mandatory
consentID String Mandatory

1. Read Account List

BasePath:
“/mfs-psd2-pis”
Endpoint:
GET /v2/accounts { query-parameters }

Reads a list of bank accounts, with balances where required. It is assumed that a consent of the PSU to this access is already given and stored on the ASPSP system. The addressed list of accounts depends then on the PSU ID and the stored consent addressed by consentId, respectively the OAuth2 access token.

Query Parameters:
Attribute Type Condition Description
withBalance Boolean Optional If contained, this function reads the list of accessible payment accounts including the booking balance, if granted by the PSU in the related consent and available by the ASPSP. This parameter might be ignored by the ASPSP.
Request Header:
1. Read Account List
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Consent-ID String Mandatory Shall be contained since "Establish Consent Transaction" was performed via this API before.
Authorization String Mandatory An OAuth2 based authentication was performed in a pre-step.
Request Body:

No request body

Response Codes:

200 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

Response Header:
Attribute Type Condition Description
x-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Response Body:
Attribute Type Condition
accounts Array: Account Details Mandatory
Example:

Response body (example 1)

Response in case of an example, where the consent has been given for one IBAN and balances

{
"accounts": [
    {
    "resourceId": "1001",
    "iban": "RO66ORMF1715363001ORANGE",
    "currency": "EUR",
    "product": "Moneda scripturala",
    "status": "enabled",
    "balances": [
        {
        "balanceType": "closingBooked",
        "balanceAmount": {
            "currency": "EUR",
            "amount": "500"
            }
        },
        {
        "balanceType": "expected",
        "balanceAmount": {
            "currency": "EUR",
            "amount": "342"
            }
        }
    ]}
]}

Response body (example 2)

Response in case of an example, where the consent has been given for two different IBANs and balances

{
        {
    "accounts": [
        {
            "resourceId": "1001",
            "iban": "RO66ORMF1715363001ORANGE",
            "currency": "EUR",
            "product": "Moneda scripturala",
            "status": "enabled",
            "balances": [
                {
                    "balanceType": "closingBooked",
                    "balanceAmount": {
                        "currency": "EUR",
                        "amount": "500"
                    }
                },
                {
                    "balanceType": "expected",
                    "balanceAmount": {
                        "currency": "EUR",
                        "amount": "342"
                    }
                }
            ]
        },
        {
            "resourceId": "1002",
            "iban": "RO66ORMF1715363002ORANGE",
            "currency": "EUR",
            "product": "Moneda scripturala",
            "status": "enabled",
            "balances": [
                {
                    "balanceType": "closingBooked",
                    "balanceAmount": {
                        "currency": "EUR",
                        "amount": "123"
                    }
                },
                {
                    "balanceType": "expected",
                    "balanceAmount": {
                        "currency": "EUR",
                        "amount": "210"
                    }
                }
            ]
        }
    ]
}

2. Read Account Details

Endpoint:
GET /v2/accounts/{ account-id } { query-parameters }

Reads details about an account, with balances where required. It is assumed that a consent of the PSU to this access is already given and stored on the ASPSP system. The addressed details of this account depends then on the stored consent addressed by consentId, respectively the OAuth2 access token.

Query Parameters:
Attribute Type Condition Description
withBalance Boolean Optional If contained, this function reads the details of the addressed account including the booking balance, if granted by the PSU's consent and if supported by ASPSP. This data element might be ignored by the ASPSP.
Request Header:
Attribute Type Condition Description
x-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Consent-ID String Mandatory Shall be contained since "Establish Consent Transaction" was performed via this API before.
Authorization String Mandatory An OAuth2 based authentication was performed in a pre-step.
Request Body:

No request body

Response Codes:

200 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

502 BAD GATEWAY - Error Response Code | failure from other services in the OMY ecosystems

Response Header:
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Response Body:
Attribute Type Condition
accounts Account Details Mandatory
Example:

../v2/accounts/1001?withBalance=true

{
        {
    "resourceId": "1001",
    "iban": "RO66ORMF1715363001ORANGE",
    "currency": "EUR",
    "product": "Moneda scripturala",
    "status": "enabled",
    "balances": [
        {
            "balanceType": "closingBooked",
            "balanceAmount": {
                "currency": "EUR",
                "amount": "500"
            }
        },
        {
            "balanceType": "expected",
            "balanceAmount": {
                "currency": "EUR",
                "amount": "342"
            }
        }
    ]
}

3. Read Balance

Endpoint:
GET /v2/accounts/ { account-id } /balances

Reads account data from a given account addressed by "account-id".

Path Parameters:
Attribute Type Description
account-id String This identification is denoting the addressed account. The account-id is retrieved by using a "Read Account List" call.
Request Body:

No request body

Response Codes:

200 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

502 BAD GATEWAY - Error Response Code | failure from other services in the OMY ecosystems

Request Header:
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Consent-ID String Mandatory Shall be contained since "Establish Consent Transaction" was performed via this API before.
Authorization String Mandatory An OAuth2 based authentication was performed in a pre-step.
Request Body:

No request body

Response Codes:

200 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

502 BAD GATEWAY - Error Response Code | failure from other services in the OMY ecosystems

Response Header:
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Response Body:
Attribute Type Condition
accounts iban Mandatory
balances Array: Balance Mandatory
Example:

../v2/accounts/1001/balances

{
        {
    "account": "RO66ORMF1715363001ORANGE",b
    "balances": [
        {
            "balanceType": "closingBooked",
            "balanceAmount": {
                "currency": "EUR",
                "amount": "500"
            }
        },
        {
            "balanceType": "expected",
            "balanceAmount": {
                "currency": "EUR",
                "amount": "342"
            }
        }
    ]
}

4. Read Transactions

Endpoint:
GET /v2/accounts/ { account-id } /transactions {query-parameters}
Path Parameters:
Attribute Type Description
account-id String This identification is denoting the addressed account. The account-id is retrieved by using a "Read Account List" call.
Query Parameters:
Attribute Type Condition Description
dateFrom ISODate Conditional Starting date (inclusive the date dateFrom) of the transaction list.
dateTo ISODate Mandatory End date (inclusive the data dateTo) of the transaction list, default is "now" if not given.
bookingStatus String Mandatory Permitted codes are "booked", "pending" and "both" "booked" shall be supported by the ASPSP. To support the "pending" and "both" feature is optional for the ASPSP.
withBalance boolean Optional If contained, this function reads the list of transactions including the booking balance, if granted by the PSU in the related consent and available by the ASPSP. This parameter might be ignored by the ASPSP.
Request Header:
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Consent-ID String Mandatory Shall be contained since "Establish Consent Transaction" was performed via this API before.
Request Body:

No request body

Response Codes:

201 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

502 BAD GATEWAY - Error Response Code | failure from other services in the OMY ecosystems

Response Header:
Attribute Type Condition Description
Content-Type String Mandatory application/json
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Response Body:
Attribute Type Condition
account Account Reference (iban) Mandatory
transactions Account Report Optional
balances Balances Optional
Example:

Request:

… v1/accounts/1001/transactions?dateFrom=2018-01-01&dateTo=2018-07-29&bookingStatus=both&withBalance=true

Response:

{
        {
    "account": "RO66ORMF1715363001ORANGE",
    "transactions": {
        "booked": [
            {
                "bookingDate": "2018-03-2",
                "transactionAmount": {
                    "currency": "EUR",
                    "amount": "432.00"
                },
                "creditorName": "ENTITY 1",
                "debtorName": "ENTITY 2"
            }
        ],
        "pending": [
            {
                "bookingDate": "2018-07-2",
                "transactionAmount": {
                    "currency": "EUR",
                    "amount": "412.00"
                },
                "creditorName": "ENTITY 7",
                "debtorName": "ENTITY 8"
            }
        ]
    },
    "balances": [
        {
            "balanceType": "closingBooked",
            "balanceAmount": {
                "currency": "EUR",
                "amount": "120.00"
            }
        },
        {
            "balanceType": "expected",
            "balanceAmount": {
                "currency": "EUR",
                "amount": "327.00"
            }
        }
}

6. Confirmation of Funds Request

Endpoint:
POST /v2/funds-confirmations

Creates a confirmation of funds request at the ASPSP.

Query Parameters:

No specific query parameter.

Request Header:
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
Authorization String Mandatory OAuth token.
TPP-Redirect-URI String Mandatory URI of the TPP, where the transaction flow shall be redirected to after a Redirect.
Request Body:
Attribute Type Condition Description
cardNumber String Optional Card Number of the card issued by the PIISP. Should be delivered if available.
account iban Mandatory The merchant where the card is accepted as an information to the PSU.
payee String Optional An OAuth2 based authentication was performed in a pre-step.
instructedAmount Amount Mandatory Transaction amount to be checked within the funds check mechanism.
Response Codes:

201 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

502 BAD GATEWAY - Error Response Code | failure from other services in the OMY ecosystems

Response Header:
Attribute Type Condition Description
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party.
fundsAvailable String Mandatory Equals true if sufficient funds are available at the time of the request, false otherwise.
The following rules will apply in interpreting the Confirmation of Funds Request for multicurrency accounts:
  • The additional card number might support the choice of the sub-account.
  • If no card number, but the PSU account identifier is contained: check on default account registered by customer.
  • If no card number but the PSU and the account identifier with currency is contained: check the availability of funds on the corresponding sub-account.
  • If card number and the PSU account identifier is contained:: check on sub-account addressed by card, if the addressed card is registered with one of the sub-accounts.
  • If the card number is not registered for any of the accounts, the card number is ignored.
Account Details:
Attribute Type Description
resourceID String This is the data element to be used in the path when retrieving data from a dedicated account
iban String
currency String
product String
status String

Account status. The value is one of the following:

  • "enabled": account is available
  • "deleted": account is terminated
  • "blocked": account is blocked e.g. for legal reasons
balances Array: Balances
Balances
Attribute Type
balanceAmount Amount
balanceType String
referenceDate ISODate
Account Report
Attribute Type
booked Array: Transaction
pending Array: Transaction
Transactions
Attribute Type Description
bookingDate ISODate The Date when an entry is posted to an account on the ASPSPs books.
transactionAmount Amount The amount of the transaction as billed to the account.
creditorName String Name of the creditor if a "Debited" transaction
debtorName String Name of the debtor if a "Credited" transaction.

PIS:

Payment Initiation Endpoint:

BasePath:
“/mfs-psd2-pis”
Request:
POST BasePath + "/v2/payments/sepa-credit-transfers"
Headers:
Attribute Type Condition Description
Content-Type application/json Mandatory
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party
Authorization String Mandatory Bearer Token received on OAuth2 based authentication performed in a pre-step
Request Body:

Payment initation body

Attribute Type Condition Description
endToEnd String Optional Maximum 35 characters
debtorAccount Account Reference Optional Definition of the entity at Section 10 Account Reference
instructedAmount Amount Mandatory Definition of the entity at Section 10 Amount
creditorAccount Account Reference Mandatory Definition of the entity at Section 10 Account Reference
creditorName String Mandatory Maximum 70 characters
creditorAddress Address Optional Definition of the entity at Section 10 Address
remittance Remittance Mandatory Maximum 140 characters
Response Codes:

201 OK - Successful Response Code

400 BAD REQUEST - Error Response Code | duplicate x-Request-ID, malformed IBAN, currency other than RON, other validation errors

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

502 BAD GATEWAY - Error Response Code | failure from other services in the OMY ecosystems

Response Headers:
Location String Condition Description
Location String Mandatory Location of the created resource, if created
X-Request-ID UUID Mandatory ID of the request, unique to the call, as determined by the initiating party
ASPSP-SCA-Approach String Mandatory The OAuth SCA approach will be subsumed by REDIRECT
Response Body:
Attribute Type Condition Description
transactionStatus Transaction Status Mandatory
paymentID String Mandatory Resource identification of the generated payment initiation resource
transactionFees Amount Optional Can be used by the ASPSP to transport transaction
transactionFeeIndicator Boolean Optional If equals true, the transaction will involve specific transaction cost as shown by the ASPSP
scaMethods Array of authentication objects Conditional Is not applicable at the current moment as only one authentication method will be used
_links Links Mandatory A list of hyperbolinks to be recognized by the TPP. The actual hyperlinks used in the response depend on the dynamical decisions of the ASPS when processing the request
psuMessage String Optional Max 512 characters, text to be displayed to the PSU
tppMessages Array of TPP Message Information Optional Messages to the TPP on operational issues

Payment Status

BasePath:
“/mfs-psd2-pis”
Request:
Get BasePath + “/v2/payments/sepa-credit-transfers/{paymentId}/status"
Path Variables:
Attribute Type Description
payment ID String Resource identification of the related payment
Request Headers:
Attribute Type Condition Description
Authorization String Mandatory
Response Codes:

200 OK - Successful Response Code

401 UNAUTHORIZED - Error Response Code | OAuth authentication failed

403 FORBIDDEN - Error Response Code | unauthorized user for selected action

500 INTERNAL SERVER ERROR - Error Response Code | unhandled business case or internal error

Response Body:
Attribute Type Condition Description
transactionStatus String Mandatory 10 Links

9. Entities Definition

Account Reference
  • String iban
  • String bban
  • String pan
  • String maskedPan
  • String msisdn
  • CurrencyCode currency (Currency codes according to the ISO 4217 standard)
TPP Message Information
  • String category
  • String code
  • String path
  • String text
Amount
  • CurrencyCode currency (Currency codes according to the ISO 4217 standard)
  • String amount
Address
  • String street
  • String buildingNumber
  • String city
  • String postalCode
  • CountryCode country (Currency codes according to the ISO 3166-1 standard)
Links(all fields are optional)
  • HrefType scaRedirect
  • HrefType scaOAuth/strong>
  • HrefType startAuthorisation
  • HrefType startAuthorisationWithPsuIdentification
  • HrefType updatePsuIdentification
  • HrefType startAuthorisationWithProprietaryData
  • HrefType updateProprietaryData
  • HrefType startAuthorisationWithPsuAuthentication
  • HrefType updatePsuAuthentication
  • HrefType startAuthorisationWithEncryptedPsuAuthentication
  • HrefType updateEncryptedPsuAuthentication
  • HrefType startAuthorisationWithTransactionAuthorisation
  • HrefType selectAuthenticationMethod
  • HrefType authoriseTransaction
  • HrefType self
  • HrefType status
  • HrefType scaStatus
  • HrefType account
  • HrefType balances
  • HrefType transactions
  • HrefType transactionDetails
  • HrefType first
  • HrefType next
  • HrefType previous
  • HrefType last
  • HrefType download
Hreftype
  • HrefType href

sus

Sediul Orange Money: Clădirea GREEN COURT, Corpul C, Etaj 11, Strada Gara Herăstrău 4D, Sectorul 2, București 020334

Serviciul Orange Money este furnizat de Orange Money IFN SA şi autorizat de Banca Naţională a României. Orange Money IFN SA este înregistrată cu nr. IEME - RO - 003 - / 21.12.2015 în Registrul Instituţiilor Emitente de Monedă Electronică gestionat de BNR.

Link-uri utile Orange Money

PSD2, SCA, Plăți în U.E.