How PSP certification works
Every partner (card PSP + Open Banking) follows the same path: upload docs → paste keys → FETCH → START TEST → all green → GO LIVE. Certified partners stay visible here so your team can demo the process to colleagues.
Certification workflow
Follow these steps for Clisapay — same process for all future partners.
-
1
Upload API docs
PDF / TXT from PSP
-
✓
Paste API keys
Keys stored on test board
-
✓
FETCH
Saved Jul 10, 08:42
-
4
START TEST
Runs full certification suite
-
5
All tests green
Export adapter + go-live package
-
6
GO LIVE
Deploy to Hostinger production
POST /api/v1/payments
with psp_code=P001
· Return URL:
https://checkout.finexeble.com/return?psp_id=P001&order_id={order_id}
Went live (archived from test board)
Card PSP Test
P001 Clisapay — card payments, 2D/3DS routing
Setup — Clisapay (P001)
① Upload API documentation
PDF, TXT, or JSON from the PSP
Notes (control room)
Saved on this test app — API doc links, webhook samples, messages
② Paste API keys & settings
Copy from email or .env — one line per key, e.g. CLISAPAY_MERCHANT_KEY=...
✓ Stored on this test board
API keys saved: Jul 10, 2026 08:42
- API URL (sandbox for certification): https://api.clisapay.com
- Production API URL: https://api.clisapay.com
- Payment webhook callback URL template: https://checkout.finexeble.com/webhooks/clisapay/{order_id}/PaymentWebHooks
- Refund notify URL template: https://checkout.finexeble.com/webhooks/clisapay/{order_id}/RefundWebHooks
- Merchant number: 301037001
- Merchant key (default): FI••••OV
- Visa merchant number: 301037001
- Visa merchant key: NC••••qp
- Mastercard merchant number: 301038001
- Mastercard merchant key: eO••••ct
- Default currency: USD
- Referer URL: https://www.finexeble.com
- Webhook sign secret: FI••••OV
Clisapay
pending● No tests run yet
P001
All 82 tests must be green first
PSP Certification Checklist
Automated validation — must pass before go-live
-
Not run
PCI DSS Compliance
No PAN/CVV storage; BIN+last4 only in webhooks.
Not run yet
-
Not run
Webhook HMAC-SHA256
Shared secret configured; signature verified on every webhook.
Not run yet
-
Not run
BIN + Last 4 in Webhook
Webhook payload exposes BIN and last4 for routing.
Not run yet
-
Not run
3DS 2.0 Support
3DS status mapped for Europe/Asia transactions.
Not run yet
-
Not run
Geo Auth Strategy
US routes 2D; Europe/Asia routes 3DS.
Not run yet
-
Not run
Return URL PSP ID
Return URL always includes assigned PSP code.
Not run yet
-
Not run
Restricted Countries
PSP blocked-country list enforced (when applicable).
Not run yet
-
Not run
Customer Name Validation
Latin letters only, min 2 chars, no email in name fields.
Not run yet
API key/secret accepted by PSP sandbox.
Not run yet — click Run to check
Sandbox API responds within 10s timeout.
Not run yet — click Run to check
Production URL configured separately from sandbox.
Not run yet — click Run to check
HTTPS endpoint uses valid TLS certificate.
Not run yet — click Run to check
Requests timeout gracefully after 30s, return Readies error.
Not run yet — click Run to check
HTTP 429 responses retried with exponential backoff.
Not run yet — click Run to check
5xx errors retried up to 3 times before failing.
Not run yet — click Run to check
PSP status/health endpoint reachable for monitoring.
Not run yet — click Run to check
All inbound payment request fields map to Readies canonical format.
Not run yet — click Run to check
All outbound payment responses use Readies canonical format only.
Not run yet — click Run to check
merchant_reference preserved end-to-end, never lost or truncated.
Not run yet — click Run to check
Amount always integer minor units (cents) in Readies format.
Not run yet — click Run to check
Currency always 3-letter ISO 4217 code (USD, EUR, GBP).
Not run yet — click Run to check
card_bin (6 digits) and card_last4 present in every payment response.
Not run yet — click Run to check
Card brand (visa/mastercard/amex) mapped to Readies standard values.
Not run yet — click Run to check
PSP statuses map to Readies: pending/authorized/captured/failed/cancelled.
Not run yet — click Run to check
Billing address fields (street, city, zip, country) normalized.
Not run yet — click Run to check
Customer email and custom metadata preserved through normalization.
Not run yet — click Run to check
PSP transaction_id stored and retrievable for refunds/webhooks.
Not run yet — click Run to check
Every response includes ISO 8601 timestamp.
Not run yet — click Run to check
US-issued cards (country=US) route as 2D — no 3DS challenge.
Not run yet — click Run to check
All non-US cards route as 3DS with challenge.
Not run yet — click Run to check
3DS challenge redirect/iframe URL returned correctly.
Not run yet — click Run to check
Frictionless 3DS (no challenge) maps to three_ds_status=authenticated.
Not run yet — click Run to check
Failed or abandoned 3DS maps to three_ds_status=failed with clear error.
Not run yet — click Run to check
three_ds_status: not_required/challenge/authenticated/failed.
Not run yet — click Run to check
EU cards always trigger SCA/3DS per PSD2 requirements.
Not run yet — click Run to check
auth_mode correctly set per card country in every response.
Not run yet — click Run to check
Single-step sale transaction completes and normalizes correctly.
Not run yet — click Run to check
Authorization without capture — status=authorized.
Not run yet — click Run to check
Capture on previously authorized transaction — status=captured.
Not run yet — click Run to check
Capture less than authorized amount.
Not run yet — click Run to check
Void/release authorized funds before capture.
Not run yet — click Run to check
Declined card returns status=failed with mapped error code.
Not run yet — click Run to check
Insufficient funds maps to Readies error code payment_insufficient_funds.
Not run yet — click Run to check
Expired card maps to Readies error code card_expired.
Not run yet — click Run to check
Invalid card number maps to Readies error code card_invalid.
Not run yet — click Run to check
Fraud-blocked transaction maps to Readies error code fraud_suspected.
Not run yet — click Run to check
PSP webhook payload maps fully to Readies canonical webhook format.
Not run yet — click Run to check
Every webhook verified with HMAC-SHA256 before processing.
Not run yet — click Run to check
payment.success event received and normalized correctly.
Not run yet — click Run to check
payment.failed event received and normalized correctly.
Not run yet — click Run to check
refund.completed event received and normalized correctly.
Not run yet — click Run to check
chargeback.opened event received and normalized correctly.
Not run yet — click Run to check
Duplicate webhook delivery processed only once (idempotent).
Not run yet — click Run to check
Late webhooks (e.g. success after failed) handled correctly.
Not run yet — click Run to check
PSP webhook retries (same payload) handled without duplicate processing.
Not run yet — click Run to check
Only accept webhooks from known PSP IP addresses.
Not run yet — click Run to check
Full refund request/response normalizes to Readies format.
Not run yet — click Run to check
Partial refund with specific amount normalizes correctly.
Not run yet — click Run to check
Declined refund returns mapped error — not silent failure.
Not run yet — click Run to check
Cannot refund more than original captured amount.
Not run yet — click Run to check
Duplicate refund request returns same result, not double refund.
Not run yet — click Run to check
All PSP error codes mapped to Readies standard error codes.
Not run yet — click Run to check
Human-readable decline reasons mapped to Readies error_message.
Not run yet — click Run to check
Network timeout returns Readies error code gateway_timeout.
Not run yet — click Run to check
Invalid JSON/unexpected PSP response handled gracefully.
Not run yet — click Run to check
PSP downtime returns Readies error code psp_unavailable.
Not run yet — click Run to check
Duplicate payment with same idempotency_key returns original result.
Not run yet — click Run to check
Full card number never stored or logged — only BIN+Last4.
Not run yet — click Run to check
CVV/CVC never stored, logged, or included in webhooks.
Not run yet — click Run to check
API keys, card data masked in all log output.
Not run yet — click Run to check
API key has minimum required permissions only (least privilege).
Not run yet — click Run to check
Webhook signing secret can be rotated without downtime.
Not run yet — click Run to check
JPY and other zero-decimal currencies handled correctly (no ×100).
Not run yet — click Run to check
PSP supports all required currencies (USD, EUR, GBP, CAD, AUD).
Not run yet — click Run to check
Payments below PSP minimum amount rejected with clear error.
Not run yet — click Run to check
Payments above PSP maximum amount rejected with clear error.
Not run yet — click Run to check
PSP settlement/report data maps to Readies reconciliation format.
Not run yet — click Run to check
PSP settlement txn IDs match stored Readies transaction_ids.
Not run yet — click Run to check
PSP processing fees mapped to Readies fee_amount field.
Not run yet — click Run to check
Daily transaction export available in Readies reconciliation format.
Not run yet — click Run to check
Every outbound response uses identical Readies canonical structure.
Not run yet — click Run to check
No raw PSP field names exposed to merchant API.
Not run yet — click Run to check
All errors use same Readies error structure regardless of PSP.
Not run yet — click Run to check
All success responses use same Readies structure regardless of PSP.
Not run yet — click Run to check
Every single test above has passed — zero failures allowed.
Not run yet — click Run to check
Production API keys configured and verified (not sandbox keys).
Not run yet — click Run to check
Production endpoint reachable and responding.
Not run yet — click Run to check
Full payment → webhook → refund cycle completed in sandbox.
Not run yet — click Run to check
ALL gates passed — PSP certified for live transfer.
Not run yet — click Run to check
PSP restricted-country list loaded and enforced before payment.
Not run yet — click Run to check
Customer return URL always carries psp_id (P001, P002…) for tracking.
Not run yet — click Run to check
Customer first/last names are Latin letters, minimum 2 characters, and never emails.
Not run yet — click Run to check
Open Banking Test
OB001 FENA (GB/IE) · OB002 GWP (15 EU countries) — orchestration picks best per country
Setup — FENA (OB001)
Paste FENA toolkit credentials — one line per key.
Click orange FETCH first to unlock START TEST
FENA OB001
0 passed · 0 failed · 45 remaining (0%)
API Authentication
Client ID / secret or API key accepted by OB sandbox.
Sandbox Endpoint Reachable
Sandbox API responds within 10s timeout.
Production Endpoint Configured
Production URL configured separately from sandbox.
TLS / SSL Certificate Valid
HTTPS endpoint uses valid TLS certificate.
API Timeout Handling
Requests timeout gracefully after 30s, return Readies error.
Rate Limit Handling (429)
HTTP 429 responses retried with exponential backoff.
Retry on Transient Errors
5xx errors retried up to 3 times before failing.
Health Check Endpoint
OB provider status/health endpoint reachable for monitoring.
Initiation Request → Readies
OB payment initiation fields map to Readies canonical format.
Initiation Response → Readies
OB initiation response uses Readies canonical format only.
Merchant Reference Mapping
merchant_reference preserved end-to-end, never lost or truncated.
Amount in Minor Units
Amount always integer minor units (cents) in Readies format.
Currency ISO 4217
Currency always 3-letter ISO 4217 code.
Bank Consent Redirect URL
OB consent/bank selection redirect URL returned for customer.
Webhook Inbound Mapping
OB webhook payload maps fully to Readies canonical webhook format.
Webhook Signature Verification
Every webhook verified with HMAC or equivalent before processing.
Webhook: payment.success
Final payment.success webhook received and normalized correctly.
Webhook: payment.failed
payment.failed webhook with clear decline reason — not vague.
Webhook Decline Reason Quality
Failed webhooks include clear human-readable decline reason and category.
Final Status Only (No False Success)
Intermediate/pending OB states must NOT map to success.
Webhook Reference Fields
Webhook contains transaction_id and merchant_reference consistently.
Webhook Duplicate Idempotency
Duplicate webhook delivery processed only once (idempotent).
Webhook Out-of-Order Delivery
Late webhooks (e.g. success after failed) handled correctly.
Webhook Retry Tolerance
OB webhook retries handled without duplicate processing.
Webhook IP Allowlist
Only accept webhooks from known OB provider IP addresses.
Return URL Includes Provider ID
Customer return URL carries provider code (OB001) for tracking.
Payment Status Mapping
OB statuses map to Readies: pending/authorized/settled/failed/cancelled.
Transaction ID Persistence
OB transaction_id stored and retrievable for queries/webhooks.
Payment Status Query
Query OB payment status by merchant_reference or transaction_id.
Initiation Idempotency
Duplicate initiation requests with same idempotency key handled safely.
Response Timestamp (ISO 8601)
Every response includes ISO 8601 timestamp.
Consent Return Handling
Customer return from bank consent flow normalized correctly.
Abandoned Consent Flow
Abandoned or timed-out consent maps to failed with clear error.
Error Code Mapping
FENA error codes map to Readies standard error codes.
Declined Payment Handling
Declined OB payment returns status=failed with mapped error code.
Network Timeout Error
Connection timeout returns gateway_timeout error — not silent failure.
Malformed Response Handling
Non-JSON or invalid OB response handled gracefully.
Sensitive Data Masking
IBAN, account numbers, and secrets never logged in plain text.
Webhook Secret Rotation
Webhook secret can be rotated without breaking verification.
Bank Selection Per Country
OB bank list filtered by customer country when applicable.
Restricted Countries Enforced
OB restricted-country list loaded and enforced before initiation.
Singleton Output Format
Every OB response is a single Readies object — no nested PSP structures.
No Raw PSP Fields Leak
Raw FENA field names never exposed to merchants.
Consistent Success Format
All success responses use identical Readies field structure.
Consistent Error Format
All error responses use identical Readies error field structure.
All Tests Passed (100%)
Every OB test category passed — no exceptions.
Live Transfer Ready
OB provider approved and ready for Hostinger live deployment.