Keamanan

OVERVIEW


STANDAR TEKNIS DAN STANDAR KEAMANAN

Standar keamanan merupakan bagian dari Standar Nasional Open API Pembayaran yang bertujuan untuk memastikan kerahasiaan data, integritas data dan sistem, serta ketersediaan layanan, mengatur mengenai standar untuk otentikasi, otorisasi, enkripsi untuk menjamin integritas dan kerahasiaan data, terdapatnya business continuity plan, maupun penerapan fraud detection system untuk memitigasi potensi fraud. Selain mengacu pada standar keamanan tersebut, Penyedia Layanan dan Pengguna Layanan harus menerapkan kontrol dan perlindungan menyeluruh terhadap data dan informasi dari potensi risiko siber untuk melindungi sistem, data Konsumen maupun data terkait Penyedia Layanan dan/atau Pengguna Layanan.

KOMPONEN STANDAR TEKNIS DAN STANDAR KEAMANAN

Standar teknis dan keamanan dari Standar Nasional Open API Pembayaran menstandarkan hal-hal sebagai berikut:

  1. Tipe Arsitektur
  2. Format Data
  3. Character Encoding
  4. Komponen HTTP Method
  5. Komponen Struktur Format Header - Access Token (Business to Business (B2B) dan Business to Business to Consumer (B2B2C))
  6. Komponen Struktur Format Header – Transaction (B2B dan B2B2C)
  7. Komponen Server Authentication Method
  8. Komponen Client Authentication Method
  9. Komponen Standar Enkripsi
  10. Komponen Secured Channel Communication
  11. Komponen Standardisasi URI Path
  12. Komponen Standardisasi Business Continuity Plan (Reliability, Availability, dan Scalability)
  13. Komponen Standardisasi Keamanan Lainnya
Tipe Arsitektur API

Tipe arsitektur yang digunakan adalah Representational State Transfer (REST) API.

Format Data

Format data yang digunakan pada request body dan response body adalah JavaScript Object Notation (JSON).

Character Encoding

Standar character encoding yang digunakan adalah UTF-8.

Komponen HTTP Method

HTTP Method berfungsi sebagai identifikasi terhadap aksi yang ingin dilakukan pada suatu sumber daya (resource) dengan komponen HTTP-Verbyang pada umumnya digunakan. HTTP-Verb yang digunakanadalah:

  1. POST Request
  2. GET Request
  3. DELETE Request
  4. PUT Request

Sebagai pertimbangan keamanan, untuk service get Access Token menggunakan POST Request. Untuk services lainnya menggunakan HTTP-Verb yang disesuaikan untuk tipe operasi dan resource yang diakses. Penggunaan HTTP method untuk masing-masing service disebutkan pada tabel informasi umum pada dokumen spesifikasi teknis SNAP.

Komponen Server Authorization dan Authentication Method

Otorisasi adalah metode bagi Penyedia Layanan untuk memberikan akses request API dari Pengguna Layanan. Standar yang digunakan adalah:

  • OAuth 2.0 sesuai RFC6749
  • Bearer token sesuai RFC6750

Dalam memberikan akses kepada Pengguna Layanan, Penyedia Layanan melakukan otentikasi untuk memvalidasi Pengguna Layanan oleh Penyedia Layanan. Sarana yang digunakan adalah_credential_ yang dipertukarkan pada saat proses pembentukan kerja sama, yaitu client secret dan pasangan public/private key, yang digunakan bersama dengan algoritma kriptografi tertentu.

Komponen Client Authentication Method

Client Authentication Method adalah metode otentikasi untuk memvalidasi konsumen. Standar Two-Factor Authentication yang digunakan adalah:

  1. Short Message Service (SMS) TOTP (Time based One Time Password)
  2. SMS TOTP dengan 6 digit- numerik dengan durasi 5 menit;
  3. Personal Identification Number (PIN)
  4. PIN dengan 6 digit-numerik
  5. Biometric(Fingerprint & Face Recognition)
  6. Lainnya
Komponen Standar Enkripsi

Model enkripsi terhadap message yang digunakan yaitu enkripsi asimetris dan simetris, menggunakan kombinasi Private Key dan Public Key, dengan standar sebagai berikut:

  1. Standard Asymmetric Encryption Signature:
    1. SHA256withRSA dengan Private Key ( Kpriv ) dan Public Key ( Kpub ) (256 bits)
  2. Standard Symmetric Encryption Signature
    1. HMAC_SHA512 (512 bits)
  3. Standard Symmetric Encryption
    1. AES-256 dengan client secret sebagai encryption key.
Komponen Secured Channel Communication

_Secured channel communication_adalah kanal komunikasi yang aman untuk menjaga kerahasiaan message yang dikirimkan. Standar yang akan digunakan adalah:

  1. Transport Layer Security (TLS) 1.3
  2. Memiliki kemampuan untuk negosiasi ke TLS 1.2 namun dengan modul enkripsi minimum yang telah ditentukan sebagai berikut:
  3. Memiliki kemampuan untuk negosiasi ke TLS 1.2 namun dengan modul enkripsi minimum yang telah ditentukan sebagai berikut:
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Penggunaan TLS 1.2 dengan modul enkripsi minimum sebagaimana dimaksud pada angka 2 huruf a sampai dengan huruf d, hanya dapat diterapkan oleh Penyedia Layanan dan Pengguna Layanan sampai dengan tanggal 30 Juni 2026.

Komponen Standardisasi Uniform Resources Indentifier (URI_) Path_

Standardisasi URI resource path dengan format sebagai berikut:

/[domain_......_api]//[version]/[service-group]/[product-type]

  1. [domain_...._api] The constant string of specific respective of PJP/Non-PJP api domain name

  2. [version] The version of the APIs expressed as / v [major-version] . [minor-version]/

  3. [service-group] The service-group identifies the group of endpoints

  4. [product-type] Details of the resource if such service has another product definition underneath

Prinsip-Prinsip Business Continuity Plan (BCP)

Prinsip-prinsip standar BCP adalah sebagai berikut:

  1. Reliability– untuk memastikan ketersediaan data dan layanan serta untuk menjamin kesinambungan proses bisnis.
  2. Availability– memastikan sistem dan data tersedia untuk pengguna yang berwenang ketika mereka membutuhkannya. Melalui Active-Active deployment atau Active - Stand-By default.
  3. Scalability– memastikan layanan dari produk jasa keuangan memiliki response time yang terukur.

Standar BCP adalah sebagai berikut:

No. Infrastruktur Pendukung Open API Pembayaran berbasis SNAP Persyaratan
1 Tipe Data Recovery Center untuk API Management    i.          HOT DRC (RTO: <1 Hour, RPO: <1 Hour)
   ii.        Replikasi data harus mendukung SLA RTO & RPO < 1 jam.
2 Kategori data center yang digunakan untuk API Management RTO: <1 Hour RPO: <1 Hour
3 Terdapat regular backup database & transaction log ·      Backup database (harian, mingguan, bulanan)
·      Backup transaction log
·      Retensi data & log : 10 tahun
Standar Keamanan Lainnya
  1. Ketersediaan Kebijakan Tertulis Terkait Sistem Informasi

Penyedia Layanan dan Pengguna Layanan memiliki kebijakan atau prosedur tertulis terkait sistem informasi yang paling sedikit meliputi:

1)       Manajemen user 4)    Pengembangan secure application
2)       Manajemen siber 5)     Change management
3)       Pengamanan dan perlindungan data (termasuk penyimpanan data) 6)     Tata kelola sistem informasi

  1. Pemenuhan Sertifikasi dan/atau Standar Keamanan dan Keandalan Sistem Informasi

    1. Penyedia Layanan dan Pengguna Layanan Open API Pembayaran berbasis SNAP mengadopsi praktik-praktik umum terbaik dalam implementasi keamanan dan keandalan sistem informasi.
    2. Penyedia dan Pengguna Layanan direkomendasikan memiliki sertifikasi dan/atau standar keamanan dan keandalan sistem informasi yang berlaku umum sesuai dengan jenis layanan yang diselenggarakan.

  2. Fraud Detection System (FDS)

FDS adalah tools yang dipergunakan untuk mencegah, mendeteksi, memitigasi, menganalisis aktivitas fraudulent pada saat aktivitas tersebut teridentifikasi masuk ke dalam sistem serta mampu memberikan informasi/alert kepada petugas yang berwenang.

Open API Pembayaran berbasis SNAP dilengkapi dengan penerapan FDS.

FDS didukung oleh kebijakan/prosedur dan sumber daya manusia yang diperlukan dalam implementasi/operasional FDS.

Fitur yang direkomendasikan diimplementasikan dalam FDS namun tidak terbatas pada:

  1. Memiliki fleksiblitas untuk mengkonfigurasi _rules/_parameter sebelum dan sesudah implementasi FDS
  2. Memiliki kemampuan untuk menerima dan mengolah data fraud yang bersumber dari luar
  3. Memiliki kemampuan untuk menganalisis, memitigasi dan/atau memprioritaskan tindak lanjut berdasarkan potensi serangan/fraud
  4. Kemampuan mendeteksi/mencegah anomali transaksi
  5. Memiliki kemampuan untuk mendeteksi/mencegah potensial fraud sejak fase pendaftaran akun nasabah.

Rules/parameter yang direkomendasikan diimplementasikan dalam FDS namun tidak terbatas pada:

1)    Waktu transaksi 5)   Nominal 9)      Excessive login
2)    Frekuensi transaksi 6)  Negative balance 10)   Device ID
3)    Velocity*) 7)  Akun dormant 11)   Fraudster ID/black list akun
4)    Incorrect PIN/OTP/Password/other authentication method 8)  Negara asal dan/atau negara tujuan transaksi 12)   Lokasi transaksi*)

*)dalam hal transaksi mencakup data lokasi

  1. Pelaksanaan Audit Secara Berkala

Penyedia Layanan dan Pengguna Layanan melakukan audit secara berkala terhadap implementasi SNAP. Audit dilakukan oleh auditor independen.

  1. Aspek Keamanan lainnya
    1. Adanya penerapan whitelisted IP pada perangkat/aset yang digunakan untuk Open API Pembayaran berbasis SNAP dan perangkat pendukung lainnya.
    2. Memiliki firewall

Open API Pembayaran berbasis SNAP dilengkapi dengan Web Application Firewall baik menggunakan Cloud Based, Network Based ataupun Host-Based Firewall yang dapat melindungi dari cyber attack seperti cross-site-scripting (XSS), cross-site forgery, SQL injection, DDoS, malware dan lain lain.

Pengelolaan yang direkomendasikan diimplementasikan dalam Firewall namun tidak terbatas pada:

1)   Adanya dokumen firewall (tujuan, layanan pengguna firewall, rules) 4)    Manajemen/monitoring network traffic
2)   Access Control List (ACLs) 5)    Pengujian firewall secara berkala
3)   Rules antara lain packet filtering, antispoofing filter, user permit rules, permit management, alert untuk suspicious traffic dan traffic log 6)    Pengkinian firewall secara reguler

GUIDES


Komponen Struktur Format HeaderAccess Token (B2B dan B2B2C)

Setiap Pengguna Layanan yang ingin melakukan akses terhadap layanan API yang terdaftar untuk model use case:

  1. B2B (integrasi antaraPJP Penyedia Layanan dan Pengguna Layanan); atau
  2. B2B2C (integrasi antara PJPPenyedia Layanan, Pengguna Layanan, dan Konsumen)

harus melakukan access token request terlebih dahulu dengan standar sebagai berikut:

Komponen Struktur Format HeaderAccess Token Request (B2B)

Service Code 73
Name API Access Token B2B
Version 1.0
HTTP Method POST
Path ../{version}/access-token/b2b

Struktur Format Header API untuk Access Token Request (B2B):

Area Field Attribute Type Description
Header Content-Type Mandatory String String represents indicate the media type of the resource (e.g. application/json, application/pdf)
X-TIMESTAMP Mandatory String Client's current local time in yyyy-MM- ddTHH:mm:ssTZD format
X-CLIENT- KEY Mandatory String Client’s client_id (PJP Name) (given at completion registration process )
X-SIGNATURE Mandatory String Non-Repudiation & Integrity checking
X-Signature : dengan algoritma asymmetric signature SHA256withRSA
(Private_Key, stringToSign). stringToSign = client_ID + “|” + X-TIMESTAMP
Body grantType Mandatory String “client_credentials” : The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control (OAuth 2.0: RFC 6749 & 6750)
additionalInfo Optional Object Additional Information

Komponen Struktur Format HeaderAccess Token Response (B2B)

Sebagai response dari access token request, diatur standar dengan format sebagai berikut:

Area Field Attribute Type Description
Header X-TIMESTAMP Mandatory String Client's current local time in yyyy-MM- ddTHH:mm:ssTZD format
X-CLIENT- KEY Mandatory String Client’s client_id (PJP Name) (given at completion registration process )
Body responseCode Conditional String Refer to standar data dan spesifikasi teknis part 6 (Response Code).
If access token failed to generate, this value must be filled.
responseMessage Conditional String Refer to standar data dan spesifikasi teknis part 6 (Response Message).
If access token failed to generate, this value must be filled.
accessToken Mandatory String (2048) A string representing an authorization issued to the client that used to access protected resources
tokenType Mandatory String The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes)
Token Type Value:
•   “Bearer”: includes the access token string in the request
•   “Mac”: issuing a Message Authentication Code (MAC) key together with the access token that is used to sign certain components of the HTTP requests
Reference: OAuth2.0 RFC 6749 & 6750
expiresIn Mandatory String Session expiry in seconds: 900 (15 menit)
additionalInfo Optional Object Additional Information

Komponen Struktur Format HeaderAccess Token Request (B2B2C)

Service Code 74
Name API Access Token B2B2C
Version 1.0
HTTP Method POST
Path ../{version}/access-token/b2b2c

Struktur Format Header API untuk Access Token Request (B2B2C):

Area Field Attribute Type Description
Content-Type Mandatory String String represents indicate the media type of the resource (e.g. application/json, application/pdf)
Header X-TIMESTAMP Mandatory String Client's current local time in yyyy-MM-ddTHH:mm:ssTZD format
X-CLIENT-KEY Mandatory String Client’s client_id (PJP Name)(given at completion registration process)
X-SIGNATURE Mandatory String Non-Repudiation & Integrity checking
X-Signature : dengan algoritma asymmetric signature SHA256withRSA
(Private_Key, stringToSign). stringToSign = client_ID + “|” + X-TIMESTAMP
grantType Mandatory String Apply token request key type, can be AUTHORIZATION_CODE or REFRESH_TOKEN.
Body authCode Conditional String (256) The authorization code received after the User provides the consent. Mandatory if grantType = AUTHORIZATION_CODE
refreshToken Conditional String (512) Refresh token to get a new accessToken where the User doesn't need to provide the consent again. Mandatory if grantType = REFRESH_TOKEN. Refresh Token should be less than access token validity and will be manage by the PJP’s application to generate a new access_token
additionalInfo Optional Object Additional Information

Komponen Struktur Format HeaderAccess Token Response (B2B2C)

Sebagai response dari access token request diatur standar dengan format sebagai berikut:

Area Field Attribute Type Description
Header X-TIMESTAMP Mandatory String Client's current local time in yyyy-MM-ddTHH:mm:ssTZD format
X-CLIENT-KEY Mandatory String Client’s client_id (PJP Name)(given at completion registration process)
Body responseCode Conditional String Refer to standar data dan spesifikasi teknis part 6 (Response Code).
If access token failed to generate, this value must be filled.
responseMessage Conditional String Refer to standar data dan spesifikasi teknis part 6 (Response Code)
If access token failed to generate, this value must be filled.
accessToken Mandatory String (2048) A string representing an authorization issued to the client that used to access protected resources.
tokenType Mandatory String The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes)
Token Type Value:
•   “Bearer”: includes the access token string in the request
•   “Mac”: issuing a Message Authentication Code (MAC) key together with the access token that is used to sign certain components of the HTTP requests
Reference: OAuth2.0 RFC 6749 & 6750
accessTokenExpiryTime Mandatory String Time when the accessToken will be expired.
Access token valid time will be 15 days
format ISO8601
refreshToken Mandatory String A random string that can be used by specific client to get a refreshed accessToken to prolong the access to the User's resources.
refreshTokenExpiryTime Mandatory String Time when the refreshToken will be expired. Refresh Token should be less than access token validity and will be manage by the PJP’s application to generate a new access_token
format ISO8601
additionalInfo Optional Object Additional Information
Komponen Struktur Format HeaderTransaction (B2B dan B2B2C)

Standar struktur format header untuk API level transaksi adalah sebagai berikut:

Komponen Struktur Format HeaderTransaction Request (B2B)

Struktur format header API untuk transaction request (B2B):

Area Field Attribute Type Description
Header Content-Type Mandatory String String represents indicate the media type of the resource (e.g. application/json, application/pdf)
Authorization Conditional String Represents access_token of a request; string starts with keyword “Bearer ” followed by access_token (e.g. Bearer eyJraWQiOi...Jzc29zIiwiY)
X-TIMESTAMP Mandatory String Client's current local time in yyyy-
MM-ddTHH:mm:ssTZD format
X-SIGNATURE Mandatory String Represents signature of a request.
Identify Signature Type used
Value:
1 - Symmetric Signature with Get Token
2 - Asymmetric Signature without Get Token
Default Value: 1
1.      Symetric-Signature :
HMAC_SHA512 (clientSecret, stringToSign) dengan formula stringToSign = HTTPMethod +”:“+ EndpointUrl +":"+ AccessToken +":“+ Lowercase(HexEncode(SHA-256(minify(RequestBody))))+ ":“ + TimeStamp
2.  Asymetric-Signature :
SHA256withRSA (clientSecret, stringToSign) dengan formula
stringToSign = HTTPMethod +”:“+ EndpointUrl +":“+ Lowercase(HexEncode(SHA-256(minify(RequestBody)))) + ":“ + TimeStamp
Catatan:
1.      Endpoint URL lengkap termasuk seluruh parameter pada URL terkait (Relative path, contoh: Path pada informasi umum setiap API service)
2.      Untuk parameter minify(Request Body), dalam hal tidak terdapat Request Body maka digunakan string kosong.
ORIGIN Optional String Origin Domain www.yourdomain.com
X-PARTNER-ID Mandatory String (36) Unique ID for a partner
X-EXTERNAL- ID Mandatory String (36) Numeric String. Reference number that should be unique in the same day
CHANNEL-ID Mandatory String (5) PJP’s channel id
Device identification on which the API services is currently being accessed by the end user (customer)

Contoh HeaderTransaction Request (B2B):

Content-type: application/json
Authorization: Bearer gp9HjjEj813Y9JGoqwOeOPWbnt4CUpvIJbU1mMU4a11MNDZ7Sg5u9a"
X-TIMESTAMP: 2020-12-17T10:55:00+07:00
X-SIGNATURE: 85be817c55b2c135157c7e89f52499bf0c25ad6eeebe04a986e8c862561b19a5
ORIGIN: www.hostname.com
X-PARTNER-ID: 82150823919040624621823174737537
X-EXTERNAL-ID: 41807553358950093184162180797837
CHANNEL-ID: 95221

Komponen Struktur Format HeaderTransaction Request (B2B2C)

Struktur format header API untuk transaction request (B2B2C):

Area Field Attribute Type Description
Header Content-Type Mandatory String String represents indicate the media type of the resource (e.g. application/json, application/pdf)
Authorization Mandatory String Represents access_token of a request; string starts with keyword “Bearer ” followed by access_token (e.g. Bearer eyJraWQiOi...Jzc29zIiwiY)
Authorization-Customer Mandatory String Represents access_token of a request belong customer; string starts with keyword “Bearer ” followed by access_token (e.g. Bearer eyJrsWaiOi...Jzc523awiY)
X-TIMESTAMP Mandatory String Client's current local time in yyyy-MM-ddTHH:mm:ssTZD format
X-SIGNATURE Mandatory String Represents signature of a request
X-Signature : algoritma symmetric signature HMAC_SHA512 (clientSecret, stringToSign) dengan formula
stringToSign = HTTPMethod +”:“+ EndpointUrl +":"+ AccessToken +":“+ Lowercase(HexEncode(SHA-256(minify(RequestBody))))+ ":“ + TimeStamp
Catatan:
1.    Endpoint URL lengkap termasuk seluruh parameter pada URL terkait (Relative path, contoh: Path pada informasi umum setiap API service)
2.    Untuk parameter minify(Request Body), dalam hal tidak terdapat Request Body maka digunakan string kosong.
ORIGIN Optional String Origin Domain www.yourdomain.com
X-PARTNER-ID Mandatory String (36) Unique ID for a partner
X-EXTERNAL-ID Mandatory String (36) Numeric String. Reference number that should be unique in the same day
X-IP-ADDRESS Optional String (15) IP address of the end user (customer) using IPv4 format
Example: 172.31.255.255
X-DEVICE-ID Mandatory String (400) Device identification on which the API services is currently being accessed by the end user (customer)
Sample:
Web Application:
Mozilla / 5.0(Windows NT 10.0; Win64; x64)AppleWebKit / 537.36(KHTML, like Gecko)Chrome / 75.0.3770.100 Safari / 537.36 OPR / 62.0.3331.99
Mobile Application:
Android: android-20013adf6cdd8123f
iOS: 72635bdfd223yvjm7246nsdj34hd4559393kjh42
CHANNEL-ID Mandatory String (5) PJP’s channel id
Device identification on which the API services is currently being accessed by the end user (customer)
X-LATITUDE Optional String (10) Location on which the API services is currently being accessed by the end user (customer)
Refer to ISO 6709 Standard representation of geographic point location by coordinates
±DD.DDDD format (without minutes and seconds)
±DD = three-digit integer degrees part of latitude
.DDDD = variable-length fraction part in degrees
Sample:
New York City:
Latitude: +40.75
X-LONGITUDE Optional String (10) Location on which the API services is currently being accessed by the end user (customer)
Refer to ISO 6709 Standard representation of geographic point location by coordinates
±DDD.DDDD format (without minutes and seconds)
±DDD = four-digit integer degrees part of latitude
.DDDD = variable-length fraction part in degrees
Sample:
New York City:
Longitude: -074.00

Contoh HeaderTransaction Request (B2B2C)

Content-type: application/json
Authorization: Bearer gp9HjjEj813Y9JGoqwOeOPWbnt4CUpvIJbU1mMU4a11MNDZ7Sg5u9a"
Authorization-Customer: Bearer fa8sjjEj813Y9JGoqwOeOPWbnt4CUpvIJbU1mMU4a11MNDZ7Sg5u9a"
X-TIMESTAMP: 2020-12-23T09:10:11+07:00
X-SIGNATURE: 85be817c55b2c135157c7e89f52499bf0c25ad6eeebe04a986e8c862561b19a5
ORIGIN: www.hostname.com
X-PARTNER-ID: 82150823919040624621823174737537
X-EXTERNAL-ID: 41807553358950093184162180797837
X-IP-ADDRESS: 172.24.281.24
X-DEVICE-ID: 09864ADCASA
CHANNEL-ID: 95221
X-LATITUDE: -6.108841
X-LONGITUDE: 106.7782137

Komponen Struktur Format HeaderTransaction Response (B2B dan B2B2C)

Struktur format header API untuk transaction response (B2B dan B2B2C):

Area Field Attribute Type Description
Header Content-Type Mandatory String String represents indicate the media type of the resource
X-TIMESTAMP Mandatory String Client's current local time in yyyy-MM-ddTHH:mm:ssTZD format

Contoh HeaderTransaction Response (B2B dan B2B2C)

Content-type: application/json
X-TIMESTAMP: 2020-12-21T10:30:34+07:00

CODE SNIPPETS


Sample Request
POST /api/v1/utilities/signature-auth HTTP/1.1
Host: localhost:44339
X-TIMESTAMP: 2020-01-01T00:00:00+07:00
X-CLIENT-KEY: 962489e9-de5d-4eb7-92a4-b07d44d64bf4
Private_Key: xoiOeVwrNlstGotvioidyzCdnAj5x6KreeTeqbdWFIA=
Sample Response
{
    "signature": "07abc7c30d245c0ecce3ef6c2a9ac76cd9ffaf6d0d090773b429c2b97437dc72047f46d9890abb2d6d8af7594ea19787e79ec80e388e2f6225b449c2e4d82e7df50f37c301424aede785935703c1c70235ba4e59f589f571218ce2dce4c061e598f0f38d1ac57f3feb52cf0c31078e3ceee8d796c53983fe1d38ebd71155aaa613700dc21f5a57941b787f921af7d287e72687d5242eb3063d543d5f5923f76db008cf4f56fb9c618f7f4bc8366ae70d88705617487754563e629119013fa0549e6645b397524b3dd2fa7e7f3fe9faf0fbf77da59f566861a3c510241fd4416ab7d0eba42d998e1178da51d607e0ef866607c458837c762323be53827d86e875"
}
Sample Request
POST /api/v1/utilities/signature-service HTTP/1.1
Host: localhost:44339
X-TIMESTAMP: 2020-01-01T00:00:00+07:00
X-CLIENT-SECRET: xS3vNQQgJRemFF0SZfXkZOq3r7kQ9n5YJgK4Wg0tVCQ=
HttpMethod: POST
EndpoinUrl: /api/v1/balance-inquiry
AccessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJhOGQ2YmVkNS05MzdkLTQzZTUtYTlkMi1hYWY0ODFlZjc2YTIiLCJjbGllbnRJZCI6IjZhZTk1N2M0LTI4NjMtNDcxMy1hY2NlLWJhMTJkZTYzNmNmYyIsIm5iZiI6MTYxMTM4NjM4NywiZXhwIjoxNjExMzg3Mjg3LCJpYXQiOjE2MTEzODYzODd9.nUillb6567_zkM6Ys35OOG-YWGoo7Ik1odPJn1tR-ao
Content-Type: application/json
Content-Length: 119

{
    "accountNo" : "2000200202",
    "clientId"  : "962489e9-de5d-4eb7-92a4-b07d44d64bf4",
    "reqMsgId"  : "a"
}
Sample Response
{
    "signature": "06a7c024bd3927ecea861ddb8605f96b382cd09e8f0ed71a4c4e8c810627212dd6973ab495b405a14dbad54f9fe23f8873b33ebcc546e2766912b7de4c225ef5"
}
Sample Request
POST /api/v1/access-token/b2b HTTP/1.1
Host: localhost:44339
X-TIMESTAMP: 2020-01-01T00:00:00+07:00
X-CLIENT-KEY: 962489e9-de5d-4eb7-92a4-b07d44d64bf4
X-SIGNATURE: 07abc7c30d245c0ecce3ef6c2a9ac76cd9ffaf6d0d090773b429c2b97437dc72047f46d9890abb2d6d8af7594ea19787e79ec80e388e2f6225b449c2e4d82e7df50f37c301424aede785935703c1c70235ba4e59f589f571218ce2dce4c061e598f0f38d1ac57f3feb52cf0c31078e3ceee8d796c53983fe1d38ebd71155aaa613700dc21f5a57941b787f921af7d287e72687d5242eb3063d543d5f5923f76db008cf4f56fb9c618f7f4bc8366ae70d88705617487754563e629119013fa0549e6645b397524b3dd2fa7e7f3fe9faf0fbf77da59f566861a3c510241fd4416ab7d0eba42d998e1178da51d607e0ef866607c458837c762323be53827d86e875
Content-Type: application/json
Content-Length: 41

{
   "grantType":"client_credentials",
   "additionalInfo":{
  
   }
}
Sample Response
{
   "responseCode":"2007300",
   "responseMessage":"Successful",
   "accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJiZjFmM2Q3ZS1kOTA3LTRkOWItODJlNC02Y2IxZGYxOTBlOWUiLCJjbGllbnRJZCI6IjZhZTk1N2M0LTI4NjMtNDcxMy1hY2NlLWJhMTJkZTYzNmNmYyIsIm5iZiI6MTYxMTQ2ODg1NiwiZXhwIjoxNjExNDY5NzU2LCJpYXQiOjE2MTE0Njg4NTZ9.-7HRhcyEh4y0qsG2H3DRdu0AeYv3MEJHfWRKhRBYcNU",
   "tokenType":"Bearer",
   "expiresIn":"900",
   "additionalInfo":{
  
   }
}
Sample Request
POST /api/v1/access-token/b2b2c HTTP/1.1
Host: localhost:44339
X-TIMESTAMP: 2020-01-01T00:00:00+07:00
X-CLIENT-KEY: 962489e9-de5d-4eb7-92a4-b07d44d64bf4
X-SIGNATURE: 07abc7c30d245c0ecce3ef6c2a9ac76cd9ffaf6d0d090773b429c2b97437dc72047f46d9890abb2d6d8af7594ea19787e79ec80e388e2f6225b449c2e4d82e7df50f37c301424aede785935703c1c70235ba4e59f589f571218ce2dce4c061e598f0f38d1ac57f3feb52cf0c31078e3ceee8d796c53983fe1d38ebd71155aaa613700dc21f5a57941b787f921af7d287e72687d5242eb3063d543d5f5923f76db008cf4f56fb9c618f7f4bc8366ae70d88705617487754563e629119013fa0549e6645b397524b3dd2fa7e7f3fe9faf0fbf77da59f566861a3c510241fd4416ab7d0eba42d998e1178da51d607e0ef866607c458837c762323be53827d86e875
Content-Type: application/json
Content-Length: 119

{
   "grantType":"authorization_code",
   "authCode":"a6975f82-d00a-4ddc-9633-087fefb6275e",
   "refreshToken":"83a58570-6795-11ec-90d6-0242ac120003",
   "additionalInfo":{
  
   }
}
Sample Response
{
   "responseCode":"2007400",
   "responseMessage":"Successful",
   "accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIyMTFlZThiMi1hN2FlLTRhZGUtYmJlYS1mNzI3MDk3ZmQ0NmEiLCJjbGllbnRJZCI6IjZhZTk1N2M0LTI4NjMtNDcxMy1hY2NlLWJhMTJkZTYzNmNmYyIsIm5iZiI6MTYxMTQ2ODk3OCwiZXhwIjoxNjExNDY5ODc4LCJpYXQiOjE2MTE0Njg5Nzh9.KM7yz9GvuUaDR1bXwei4iO0h4e3g4o1Hct5Ie9VoBdo",
   "tokenType":"Bearer",
   "accessTokenExpiryTime":"2020-01-01T00:00:00+07:00",
   "refreshToken":"57d21fe3-ba9c-4f2d-9fde-eae669bbf80d",
   "refreshTokenExpiryTime":"2020-01-01T00:00:00+07:00",
   "additionalInfo":{
  
   }
}

RESPONSES CODE


Response Code

Response status merupakan informasi yang diberikan oleh service provider kepada service consumer pada response body, sebagai indikasi hasil dari pemrosesan request yang diterima.

Response status terdiri dari 2 komponen, yaitu kode (response code) dan deskripsinya (response message).

Komponen Tipe Data Length Keterangan
responseCode String 7 response code = HTTP status code + service code + case code
responseMessage String 150
Daftar Response Code
Category HTTP Code Service Code Case Code Response Message Description
Success 200 any 00 Successful Successful
Success 202 any 00 Request In Progress Transaction still on process
System 400 any 00 Bad Request General request failed error, including message parsing failed.
Message 400 any 01 Invalid Field Format {field name} Invalid format
Message 400 any 02 Invalid Mandatory Field {field name} Missing or invalid format on mandatory field
System 401 any 00 Unauthorized. [reason] General unauthorized error (No Interface Def, API is Invalid, Oauth Failed, Verify Client Secret Fail, Client Forbidden Access API, Unknown Client, Key not Found)
System 401 any 01 Invalid Token (B2B) Token found in request is invalid (Access Token Not Exist, Access Token Expiry)
System 401 any 02 Invalid Customer Token Token found in request is invalid (Access Token Not Exist, Access Token Expiry)
System 401 any 03 Token Not Found (B2B) Token not found in the system. This occurs on any API that requires token as input parameter
System 401 any 04 Customer Token Not Found Token not found in the system. This occurs on any API that requires token as input parameter
Business 403 any 00 Transaction Expired Transaction expired
System 403 any 01 Feature Not Allowed [Reason] This merchant is not allowed to call Direct Debit APIs
Business 403 any 02 Exceeds Transaction Amount Limit Exceeds Transaction Amount Limit
Business 403 any 03 Suspected Fraud Suspected Fraud
Business 403 any 04 Activity Count Limit Exceeded Too many request, Exceeds Transaction Frequency Limit
Business 403 any 05 Do Not Honor Account or User status is abnormal
System 403 any 06 Feature Not Allowed At This Time. [reason] Cut off In Progress
Business 403 any 07 Card Blocked The payment card is blocked
Business 403 any 08 Card Expired The payment card is expired
Business 403 any 09 Dormant Account The account is dormant
Business 403 any 10 Need To Set Token Limit Need to set token limit
System 403 any 11 OTP Blocked OTP has been blocked
System 403 any 12 OTP Lifetime Expired OTP has been expired
System 403 any 13 OTP Sent To Cardholer initiates request OTP to the issuer
Business 403 any 14 Insufficient Funds Insufficient Funds
Business 403 any 15 Transaction Not Permitted.[reason] Transaction Not Permitted
Business 403 any 16 Suspend Transaction Suspend Transaction
Business 403 any 17 Token Limit Exceeded Purchase amount exceeds the token limit set prior
Business 403 any 18 Inactive Card/Account/Customer Indicates inactive account
Business 403 any 19 Merchant Blacklisted Merchant is suspended from calling any APIs
Business 403 any 20 Merchant Limit Exceed Merchant aggregated purchase amount on that day exceeds the agreed limit
Business 403 any 21 Set Limit Not Allowed Set limit not allowed on particular token
Business 403 any 22 Token Limit Invalid The token limit desired by the merchant is not within the agreed range between the merchant and the Issuer
Business 403 any 23 Account Limit Exceed Account aggregated purchase amount on that day exceeds the agreed limit
Business 404 any 00 Invalid Transaction Status Invalid transaction status
Business 404 any 01 Transaction Not Found Transaction not found
System 404 any 02 Invalid Routing Invalid Routing
System 404 any 03 Bank Not Supported By Switch Bank not supported by switch
Business 404 any 04 Transaction Cancelled Transaction is cancelled by customer
Business 404 any 05 Merchant Is Not Registered For Card Registration Services Merchant is not registered for Card Registration services
System 404 any 06 Need To Request OTP Need to request OTP
System 404 any 07 Journey Not Found The journeyID cannot be found in the system
Business 404 any 08 Invalid Merchant Merchant does not exist or status abnormal
Business 404 any 09 No Issuer No issuer
System 404 any 10 Invalid API Transition Invalid API transition within a journey
Business 404 any 11 Invalid Card/Account/Customer [info]/Virtual Account Card information may be invalid, or the card account may be blacklisted, or Virtual Account number maybe invalid.
Business 404 any 12 Invalid Bill/Virtual Account [Reason] The bill is blocked/ suspended/not found.
Virtual account is suspend/not found.
Business 404 any 13 Invalid Amount The amount doesn't match with what supposed to
Business 404 any 14 Paid Bill The bill has been paid
System 404 any 15 Invalid OTP OTP is incorrect
Business 404 any 16 Partner Not Found Partner number can't be found
Business 404 any 17 Invalid Terminal Terminal does not exist in the system
Business 404 any 18 Inconsistent Request Inconsistent request parameter found for the same partner reference number/transaction id
It can be considered as failed in transfer debit, but it should be considered as success in transfer credit.
Considered as success:
- Transfer credit = (i) Intrabank transfer; (ii) Interbank transfer; (iii) RTGS transfer; (iv) SKNBI transfer;
- Virtual account = (i) Payment VA; (ii) Payment to VA;
- Transfer debit = (i) Refund payment; (ii) Void;
Considered as failed:
- Transfer credit = (i) Transfer to OTC;
- Transfer debit = (i) Direct debit payment; (ii) QR CPM payment; (iii) Auth payment; (iv) Capture;
Business 404 any 19 Invalid Bill/Virtual Account The bill is expired.
Virtual account is expired.
System 405 any 00 Requested Function Is Not Supported Requested function is not supported
Business 405 any 01 Requested Opearation Is Not Allowed Requested operation to cancel/refund transaction Is not allowed at this time.
System 409 any 00 Conflict Cannot use same X-EXTERNAL-ID in same day
System 409 any 01 Duplicate partnerReferenceNo Transaction has previously been processed indicates the same partnerReferenceNo already success
System 429 any 00 Too Many Requests Maximum transaction limit exceeded
System 500 any 00 General Error General Error
System 500 Any 01 Internal Server Error Unknown Internal Server Failure, Please retry the process again
System 500 Any 02 External Server Error Backend system failure, etc
System 504 any 00 Timeout timeout from the issuer

APLIKASI PENGUJIAN