February 9, 2023
Currently, card principals (VISA, MASTERCARD, JCB, AMEX) do not process 3DS version 1 transactions anymore. Cards that do not support 3DS version 2 will be rejected on the principal side. However, we are still processing 3DS version 1 transactions although the transactions will be denied on the principal side.
Starting on 9th February 2023, all transactions using 3DS version 1 card will be denied on the
/charge API before it goes to principal.
October 4, 2022
Midtrans is sanitizing order id characters for MPGS to make sure it's URL safe. Allowed symbols in order id are dash(-), underscore(_), tilde(~), and dot(.).
On Midtrans MAP (Merchant Portal), order id shown will be the same with the one sent by Merchant. but order id shown on MPGS portal or Bank settlement report could be different because of order id sanitization.
For more details, refer Transaction Details Object.
February 1st, 2018
Starting on 1st February, 2018,
channel parameter from Get Card Token request and Charge API request will be permanently removed. Once it is effective, any
channel parameter sent to Midtrans will be disregarded. We advise you to remove
channel parameter on your end immediately.
Following this announcement, we have made
channel parameter as optional. However, should you choose to do a transaction via MIGS banks, you will need to send
bank parameter to Midtrans. Otherwise it will return an error. A few instances where the changes may be applicable are given below.
|No||No||any non-MIGS bank||✅|
|No||MIGS||specific MIGS bank||✅|
|No||Non-MIGS||specific non-MIGS bank||✅|
|MIGS||No||any MIGS bank||❌|
|MIGS||MIGS||specific MIGS bank||❌|
August 31, 2017
We are improving our API to meet your security needs. Currently, Mandiri ClickPay API payload consists of full PAN number which pose a risk of leaking customer's card credentials.
We are introducing new flow for Mandiri ClickPay. This new flow will enable you to exchange customer card data for a
token_id on client side. Consequently, the
token_id is passed as Mandiri ClickPay parameter instead of
We highly recommend you to update your Mandiri ClickPay implementation to cater this new flow since we are going to deprecate the old implementation by 1st December, 2017.
August 3, 2017
Starting from 1st November, 2017, we are limiting the characters to make sure that
order_id are URL safe. Allowed Symbols are dash(-), underscore(_), tilde (~), and dot (.). For more details, refer Transaction Details Object.
December 1, 2016
Starting from 15th January, 2017, we are going to prohibit the use of decimal value for
gross_amount. Few examples of valid and invalid values are given below.
gross_amount will be rejected with a
status_code:400 (validation error).
User-Agentheader in the HTTP notification from Midtrans will no longer be 'Veritrans'. It will be the same as the HTTP client we are using in code. Please do not use the
User-AgentHeader or depend on it.
In line with the change of the name of the organization, we will also deprecate the usage of
veritrans.co.iddomain in the next 3-4 months. The changes in the domain names are listed below.
Please switch to using the new host names and URL's immediately to avoid failures.