search
DOKU DocsChangelogDOKU Github

Mandiri Direct Debit

Mandiri offers 2 payment schemes, which are; 1) Tokenization scheme, and 2) Recurring scheme.

hashtag
Integration Steps

Overview of integration process with Mandiri Direct Debit

  1. Card Registration

  2. OTP Verification

  3. Payment

  4. Payment Notification

  5. Additional Feature

hashtag
1. Card Registration

Card Registration process should be done before payment can be made and processed. Merchant will send card registration request from customer to DOKU. The request includes customer's card number that is registered to customer's Mandiri account.

Each card/account can only be registered/bind to one customer on one merchant. Customer needs to verify OTP and input PIN to register the card.

CBC Encryption

To request card registration process, merchant requires to bring object cardData which value should be encrypted using CBC Algorithm.

CBC Encryption - Steps:

  1. Prepare shared key from DOKU as Secret Key

    • Substring shared key only 16 digits

    • Example code:

    private String getSharedKey(String sharedKey) {
    if (sharedKey.length() != 16) {
sharedKey = sharedKey.length() > 16 ? sharedKey.substring(0, 16) : String.format("%-16s", sharedKey).replace(' ', '-');
    }
    return sharedKey;
}

  2. Generate Initial Value (IV)

    • Generate initial value with 16 bytes and then encode using Base 64

    • Example code:

    byte[] iv = new byte[16];
new SecureRandom().nextBytes(iv);
IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
String ivString = Base64.getEncoder().encodeToString(ivParameterSpec.getIV());

  3. Using Cipher CBC

    • Value that will be encrypted combine with secret key generated before

    • After that encode the value using Base 64

    • Example code:

    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); //NOSONAR
cipher.init(Cipher.ENCRYPT_MODE, key, ivParameterSpec);
byte[] cipherText = cipher.doFinal(input.getBytes());
String cipherString = Base64.getEncoder().encodeToString(cipherText);

  4. Combine CBC and IV

    • Combine value CBC Cipher with IV value with separator (|)

    • Example code:

    String value = cipherString + "|" + ivString;

Tools Using Java - Steps:

  • Install JDK 17

  • Go to folder

  • Run with command java -jar cbc-tools.jar

  • Input Value that you wish to be encrypted

  • Input Key to encrypt

Example Value:

(It should be minified)

file-archive
4KB
cbc-tools.jar.zip
archive
arrow-up-right-from-squareOpen
CBC Tools for Card Encryption

Card Registration Flow

Card Registration Flow - Mandiri Direct Debit

hashtag
API Endpoint

Environment
Endpoint

HTTP Method

POST

API Sandbox

https://api-sandbox.doku.comarrow-up-right

API Production

https://api.doku.comarrow-up-right

Path

.../direct-debit/core/v1/registration-card-bind

Sample of Request Header, Request Body and Response Body

Notes:

Parameter with (*) is mandatory

Parameter without (*) is optional/conditional

hashtag
Register Card for Direct Debit Mandiri SNAP

post
Header parameters
X-TIMESTAMPstring · utc timestampRequired

Customer's current local time in yyyy-MM- ddTHH:mm:ssTZD format

Example: 2020-12-21T07:56:11.000Z
X-SIGNATUREstringRequired

Algorithm symmetric signature HMAC_SHA512 (clientSecret, stringToSign)

Example: 85be817c55b2c135157c7e89f52499bf0c25ad6eeebe04a986e8c862561b19a5
X-PARTNER-IDstringRequired

Unique ID for a partner (DOKU'S Client ID)

Example: 821508239190
X-EXTERNAL-IDstringRequired

Numeric String. Reference number that should be unique in the same day (request-id)

Example: 418075533589
CHANNEL-IDstringOptional

Enum: DH/H2H (Default: DH) | Max: 3

Example: DH
AuthorizationstringRequired

Access Token obtained from Get B2B Token API

Example: Bearer eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2OTgwNTA3NDMsImlzcyI6IkRPS1UiLCJjbGllbnRJZCI6IkJSTi0wMjExLTE2OTY5MTk2NTE5MTgifQ.x-D5VlK6TlVZbLPUSCr-Gbfgh4tnp0QDJmedYFHJGHFjg1c4x39pszU4sLvRhr0Jk0vKdMIzxUZeNhKoesWqDJitnG3kfrNZNsMb_WYUC0tJW91onXzYOKXiTgsHwRNFoWPQHlXIEtT3RQm-SRlCpk_E0gsavgkQn2-kbJEBnPhIs4eKg5IUY9GYi4hRr-_GHsudDl8sd2B5UBB_rHYq36BRmLXH7i7MQADHPsB1ktPVgk3ZWF0jebEjI-lJ88p-omL1vQNvRseXej2HKBa9chGLmPDvXYBQaRmmstHz-tv1boFrHfwsHJebcUec-i3WE1vMvP_3EPXdbqb45N4ciQ
Body
cardDatastringRequired

Format Object: { "bankCardNo": "13763689649826892", "expiryDate": "0129" } Encrypt using CBC Algorithm Value: encryptedValue + ivString

Example: 5cg2G2719+jxU1RfcGmeCyQrLagUaAWJWWhLpm/mbkiTIrb9qA5kQgAZ4jTsMWOgMxB7lJX6k1hiv5Mq4ltG5g==|GbD2PwzJIgpPijLs14BwZQ==
custIdMerchantstringRequired

Customer id from merchant | Alphanumeric | max length: 64 |

Example: cust001
phoneNostringOptional

Customer's phone number, it is recommended to use the phone number that is linked to the card | Format: 628xxxxxxxxxx | min length: 9 max length: 16 | Mandatory

Example: 628238748728423
journeyIdstringOptional

Merchant ID, value must be unique | max length: 64

Example: 861023713017210
Responses
chevron-right
200

Successful

application/json
responseCodestringRequired

Response Code with format HTTP status code + service code + case code. service code and status code refer to: https://developers.doku.com/getting-started-with-doku-api/response-code/http-status-and-case-code#id-4.-direct-debit | Mandatory | min length: 1 | max length: 7.

Example: 2000700
responseMessagestringRequired

Response Description. | min length: 1 | max length: 150

Example: Successful
referenceNostringOptional

Reference Number

Example: 129260743966
redirectUrlstringOptional

Redirect URL to Merchant's page/platform for customer to input OTP/PIN | Will show only if CHANNEL-ID is DH

Example: https://doku.com/direct-debit/ui/binding/2238230713001534401107183161486001168389
post
/direct-debit/core/v1/registration-card-bind
200

Successful

hashtag
2. OTP Verification

OTP verification is needed to verify the Card Registration request and Payment request. Merchant can hit this API to verify the OTP.

OTP Verification Flow

OTP Verification Flow (Card Registration) - Mandiri Direct Debit

hashtag
API Endpoint

Environment
Endpoint

HTTP Method

POST

API Sandbox

https://api-sandbox.doku.comarrow-up-right

API Production

https://api.doku.comarrow-up-right

Path

.../direct-debit/core/v1/otp-verification

Sample of Request Header, Request Body and Response Body

Notes:

Parameter with (*) is mandatory

Parameter without (*) is optional/conditional

hashtag
OTP Verification for Direct Debit Mandiri SNAP

post
Header parameters
X-TIMESTAMPstring · utc timestampRequired

Customer's current local time in yyyy-MM- ddTHH:mm:ssTZD format

Example: 2020-12-21T07:56:11.000Z
X-SIGNATUREstringRequired

Algorithm symmetric signature HMAC_SHA512 (clientSecret, stringToSign)

Example: 85be817c55b2c135157c7e89f52499bf0c25ad6eeebe04a986e8c862561b19a5
X-PARTNER-IDstringRequired

Unique ID for a partner (DOKU'S Client ID)

Example: 821508239190
X-EXTERNAL-IDstringRequired

Numeric String. Reference number that should be unique in the same day (request-id)

Example: 418075533589
Authorization-customerstringRequired

Access Token obtained from Get B2B2C Token API

Example: Bearer fa8sjjEj813Y9JGoqwOeOPWbnt4CUpvIJbU1mMU4a11MNDZ7Sg5u9a
AuthorizationstringRequired

Access Token obtained from Get B2B Token API

Example: Bearer eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2OTgwNTA3NDMsImlzcyI6IkRPS1UiLCJjbGllbnRJZCI6IkJSTi0wMjExLTE2OTY5MTk2NTE5MTgifQ.x-D5VlK6TlVZbLPUSCr-Gbfgh4tnp0QDJmedYFHJGHFjg1c4x39pszU4sLvRhr0Jk0vKdMIzxUZeNhKoesWqDJitnG3kfrNZNsMb_WYUC0tJW91onXzYOKXiTgsHwRNFoWPQHlXIEtT3RQm-SRlCpk_E0gsavgkQn2-kbJEBnPhIs4eKg5IUY9GYi4hRr-_GHsudDl8sd2B5UBB_rHYq36BRmLXH7i7MQADHPsB1ktPVgk3ZWF0jebEjI-lJ88p-omL1vQNvRseXej2HKBa9chGLmPDvXYBQaRmmstHz-tv1boFrHfwsHJebcUec-i3WE1vMvP_3EPXdbqb45N4ciQ
Body
originalPartnerReferenceNostringRequired

Partner Reference Number Payment | max: 36 | Mandatory

Example: INV-0001
otpstringRequired

OTP sent to customer | min: 6 max: 6 | Mandatory

Example: 111000
actionstringRequired

otpPayment is for verifying Payment, otpLinkage is for verifying Card Registration | Mandatory

Example: otpPayment/otpLinkage
Responses
chevron-right
200

Successful

application/json
responseCodestringRequired

Response Code with format HTTP status code + service code + case code. service code and status code refer to: https://developers.doku.com/getting-started-with-doku-api/response-code/http-status-and-case-code#id-4.-direct-debit . | Mandatory | min length: 1 | max length: 7.

Example: 2000400
responseMessagestringRequired

Response Description. | min length: 1 | max length: 150

Example: Successful
originalReferenceNostringOptional

Reference No from

Example: GuJNX01wKYMdEGNUJ1k
post
/direct-debit/core/v1/otp-verification
200

Successful

hashtag
3. Payment

After customer's card is registered, payment process can be requested by bringing the card token generated in card registration process. After merchant hit payment API, DOKU will deduct customer's balance.

hashtag
Payment - Tokenization

In tokenization scheme, every payment needs to be verified by customer with inputting OTP and/or PIN. In order to do that, merchant needs to bring parameter paymentType : "SALE"in payment request body.

And as the response, merchant will receive parameter webRedirectUrl to redirect the customer to merchant's page/platform to complete the payment by inputting OTP and/or PIN. After the payment is completed, merchant then will receive the notification.

hashtag
Payment - Recurring

In recurring scheme, the payment process will be scheduled. Hence, verification using OTP and/or PIN is not required in every payment. Customers only need to do the verification during card registration process and it will give merchant the authorization to run scheduled payment. In order to do that, merchant needs to bring parameter CHANNEL-ID : "H2H" in request header andpaymentType : "RECURRING"in payment request body.

And as the response, merchant will not receive parameter webRedirectUrl to redirect the customer to merchant's page/platform to complete the payment. Payment request will be directly processed by acquirer and merchant will receive the notification.

Payment Flow

This below payment flow is for tokenization scheme.

Payment Flow - Mandiri Direct Debit - Tokenization Scheme

hashtag
API Endpoint

Environment
Endpoint

HTTP Method

POST

API Sandbox

https://api-sandbox.doku.comarrow-up-right

API Production

https://api.doku.comarrow-up-right

Path

.../direct-debit/core/v1/debit/payment-host-to-host

Sample of Request Header, Request Body and Response Body

Notes:

Parameter with (*) is mandatory

Parameter without (*) is optional/conditional

hashtag
Request Payment from Merchant for Direct Debit Mandiri SNAP

post
Header parameters
X-TIMESTAMPstring · utc timestampRequired

Customer's current local time in yyyy-MM- ddTHH:mm:ssTZD format

Example: 2020-12-21T07:56:11.000Z
X-SIGNATUREstringRequired

Algorithm symmetric signature HMAC_SHA512 (clientSecret, stringToSign)

Example: 85be817c55b2c135157c7e89f52499bf0c25ad6eeebe04a986e8c862561b19a5
X-PARTNER-IDstringRequired

Unique ID for a partner (DOKU'S Client ID)

Example: 821508239190
X-EXTERNAL-IDstringRequired

Numeric String. Reference number that should be unique in the same day (request-id)

Example: 418075533589
CHANNEL-IDstringOptional

Default value: DH(DOKU Hosted) Value: DH/H2H

Example: H2H
Authorization-customerstringRequired

Access Token obtained from B2B2C Get Token API

Example: Bearer fa8sjjEj813Y9JGoqwOeOPWbnt4CUpvIJbU1mMU4a11MNDZ7Sg5u9a
AuthorizationstringRequired

Access Token obtained from Get B2B Token API

Example: Bearer eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2OTgwNTA3NDMsImlzcyI6IkRPS1UiLCJjbGllbnRJZCI6IkJSTi0wMjExLTE2OTY5MTk2NTE5MTgifQ.x-D5VlK6TlVZbLPUSCr-Gbfgh4tnp0QDJmedYFHJGHFjg1c4x39pszU4sLvRhr0Jk0vKdMIzxUZeNhKoesWqDJitnG3kfrNZNsMb_WYUC0tJW91onXzYOKXiTgsHwRNFoWPQHlXIEtT3RQm-SRlCpk_E0gsavgkQn2-kbJEBnPhIs4eKg5IUY9GYi4hRr-_GHsudDl8sd2B5UBB_rHYq36BRmLXH7i7MQADHPsB1ktPVgk3ZWF0jebEjI-lJ88p-omL1vQNvRseXej2HKBa9chGLmPDvXYBQaRmmstHz-tv1boFrHfwsHJebcUec-i3WE1vMvP_3EPXdbqb45N4ciQ
Body
partnerReferenceNostringRequired

Reference No From Partner | max: 64 | Mandatory

Example: INV-0001
journeyIdstringOptional

Merchant ID, value must be unique | max length: 64

Example: 861023713017210
Responses
chevron-right
200

Successful

application/json
responseCodestringRequired

Response Code with format HTTP status code + service code + case code. service code and status code refer to: https://developers.doku.com/getting-started-with-doku-api/response-code/http-status-and-case-code#id-4.-direct-debit | Mandatory | min length: 1 | max length: 7.

Example: 2005400
responseMessagestringRequired

Response Description. | min length: 1 | max length: 150

Example: Successful
webRedirectUrlstringOptional

Redirect URL to Merchant's page/platform for customer to input OTP/PIN | Will show if CHANNEL-ID is DH or null

Example: https://app-uat.doku.com/link/283702597342040
partnerReferenceNostringOptional

Reference No From Partner

Example: INV-0001
post
/direct-debit/core/v1/debit/payment-host-to-host
200

Successful

hashtag
4. Payment Notification

After payment is completed, DOKU will send HTTP Notification to merchant's defined Notification URL. Learn how to handle the notification from DOKU.

hashtag
5. Additional Feature

hashtag
a. Refund

Currently, refund for successful Direct Debit Mandiri transactions can only be done via Manual Refund Flow.

Supported refund types via Manual refund Flow:

  • Full refund

  • Partial refund

  • Multiple partial refunds

Manual Refund Flow

Manual Refund Flow - Mandiri Direct Debit

hashtag
Steps to Request Manual Refund

Send email to DOKU

Include in your email

  • Merchant Name

  • Invoice Number

  • Date of Transaction

  • Transaction Amount

  • Refund Amount

Processing Time

  • Refunds are processed within 7 working days from the date Mandiri receives the request.

  • If no update after 7 working days, escalate by replying to the same email.

hashtag
Online Refund Flow

hashtag
API Endpoint

Parameter without (*) is optional/conditional

hashtag
b. Card Registration Unbinding

If a registered customer no longer wants their account/card to be bind/linked and wish to remove it from DOKU's and merchant’s system, merchant can send account unbinding request that is initiated by customer.

hashtag
API Endpoint

Environment
Endpoint

HTTP Method

POST

API Sandbox

https://api-sandbox.doku.comarrow-up-right

API Production

https://api.doku.comarrow-up-right

Path

.../direct-debit/core/v1/registration-card-unbind

Sample of Request Header, Request Body and Response Body

Notes:

Parameter with (*) is mandatory

Parameter without (*) is optional/conditional

hashtag
Card Registration Unbinding - Direct Debit Mandiri

post
Header parameters
X-TIMESTAMPstring · utc timestampRequired

Client's current local time in yyyy-MM- ddTHH:mm:ssTZD format

Example: 2020-12-21T07:56:11.000Z
X-SIGNATUREstringRequired

Algorithm symmetric signature HMAC_SHA512 (clientSecret, stringToSign)

Example: 85be817c55b2c135157c7e89f52499bf0c25ad6eeebe04a986e8c862561b19a5
X-PARTNER-IDstringRequired

Unique ID for a partner (DOKU'S Client ID)

Example: 821508239190
X-EXTERNAL-IDstringRequired

Numeric String. Reference number that should be unique in the same day (request-id)

Example: 418075533589
AuthorizationstringRequired

Access Token obtained from Get B2B Token API

Example: Bearer eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2OTgwNTA3NDMsImlzcyI6IkRPS1UiLCJjbGllbnRJZCI6IkJSTi0wMjExLTE2OTY5MTk2NTE5MTgifQ.x-D5VlK6TlVZbLPUSCr-Gbfgh4tnp0QDJmedYFHJGHFjg1c4x39pszU4sLvRhr0Jk0vKdMIzxUZeNhKoesWqDJitnG3kfrNZNsMb_WYUC0tJW91onXzYOKXiTgsHwRNFoWPQHlXIEtT3RQm-SRlCpk_E0gsavgkQn2-kbJEBnPhIs4eKg5IUY9GYi4hRr-_GHsudDl8sd2B5UBB_rHYq36BRmLXH7i7MQADHPsB1ktPVgk3ZWF0jebEjI-lJ88p-omL1vQNvRseXej2HKBa9chGLmPDvXYBQaRmmstHz-tv1boFrHfwsHJebcUec-i3WE1vMvP_3EPXdbqb45N4ciQ
Body
tokenIdstringOptional

format: Value from getTokenB2B2C | max: 2048 | Mandatory

Example: eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2OTg4MjI3NTQsImlzcyI6IkRPS1UiLCJjbGllbnRJZCI6IkJSTi0wMjAyLTE2OTAyNzUzNTM3OTgiLCJhY2NvdW50SWQiOiJjZTBhZWIyM2YyMmZhOTgxZWViNTE1MjFmZmNkYmUzNyJ9.QZ2z0p2PoCYbuBSId7LleLqTUwNyNIeM1PUSaV4DwGKO05l7xQ3EbpdAPK62hxKNcczKqQqGY2Om6rzS78s2Tj88dkDD2vl46o3xEPd_plqQW8ayFqS74Z_HcFJfdo-egqFv9rAX7qgiE5AJHSx_hFolET9B3o3Jx82lmQutnXOjYb5gW9PV0FCPIZRWOaXppOSJSVcmTvXZxF0KUID9-2QVmQ5aPZroHjShYJKGyUu-1tCPClD_CbZMCi3TxhKLnI3e2oIoK7VjXEsrJjuil8O1zZTT7_aXAGgTu5UcPCrc0U9_3Nj-wQlEjDpedMVypKAWATWBUVpMo2MAsBRDAw
Responses
chevron-right
200

Successful

application/json
responseCodestringRequired

Response Code with format HTTP status code + service code + case code. service code and status code refer to: https://developers.doku.com/getting-started-with-doku-api/response-code/http-status-and-case-code#id-4.-direct-debit | Mandatory | min length: 1 | max length: 7.

Example: 2000500
responseMessagestringRequired

Response Description. | min length: 1 | max length: 150

Example: Successful
referenceNostringOptional

Reference Number

Example: UNB-0001
redirectUrlstringOptional

Redirect URL to Authenticate Customer | Will show only if CHANNEL-ID is DH

Example: https://doku.com/direct-debit/ui/binding/2238230713001534401107183161486001168389
post
/direct-debit/core/v1/registration-card-unbind
200

Successful

PreviousCIMB Direct DebitNextKartu Kredit Indonesia Cepat Secure(KKI CPTS)

Last updated