Processing API Information to Velo Backend

When your Virtual POS application is approved by DenizBank, you receive information specific to you. Nothing works without this information because it is your communication bridge between the system and DenizBank. The first information is Merchant ID - your merchant number. DenizBank recognizes you with this number and knows which account to deposit money into. Each business has a unique Merchant ID.

The second important information is Store Key or "Shop Code" as it appears in some sources. This key is used when initiating payment. The third information is Terminal ID - if you have multiple sales channels (website, mobile application, phone sales), each can have a separate terminal ID. If you have a single sales channel, you typically use a single terminal.

Finally, there are security keys. The most important of these is the 3D Secure key or the parameter called "3dpass". This key is used in hash calculations. Hash is a security mechanism that proves the data you send has not been altered in transit. Do not share the security key with anyone - if this information is compromised, your system is at risk.

After receiving this information, you switch to the Wix side. Open Dev Mode in Wix Editor, find Secrets Manager in the Code Panel. This is the digital vault where you store your sensitive information. Create a separate "secret" for each piece of information. Keep naming consistent: denizbank_merchant_id, denizbank_store_key, denizbank_terminal_id, denizbank_3d_pass, etc. Fill in the values with the information received from the bank.

Create a new file in the Backend folder, name it "denizbankService.jsw". This file will manage all DenizBank operations. Import the wix-secrets-backend module to read secrets:

import { getSecret } from 'wix-secrets-backend';

const merchantId = await getSecret('denizbank_merchant_id');
const storeKey = await getSecret('denizbank_store_key');

This way the information stays secure, never goes to the browser, and is only used on the server side.

Payment Initiation and 3D Secure Redirect

The customer completed their shopping on your site and clicked the "Make Payment" button. Your frontend code collects card information - card number, expiration date, CVV, and cardholder name. You send this information to the backend. In the backend, you generate an order number - a combination of timestamp and random number is a secure method.

Now a critical step: hash calculation. For DenizBank, hash parameters are combined in this order: ShopCode, OrderId, Amount, OkUrl, FailUrl, TxnType, InstallmentCount, Rnd, MerchantPass. Rnd is a random value - typically a timestamp is used. You write these parameters side by side, add MerchantPass at the end, then encrypt with SHA-1 and encode in Base64.

After calculating the hash, you package all information as form data. DenizBank's endpoint is typically: https://sanaltest.denizbank.com/mpi/Default.aspx for test environment, https://spos.denizbank.com/mpi/Default.aspx for live environment. You POST the form data. The bank returns an HTML response - this HTML contains an auto-submitting form.

Your frontend takes this HTML and places it on the page. The form automatically runs and takes the customer to DenizBank's 3D Secure screen. Now the customer is under the bank's control. Transaction details appear on the screen - how much they will pay, which store they shopped from. The bank performs risk analysis in the background - customer's shopping history, IP address, device information is checked.

If found low risk, it approves without asking for SMS password. If found high risk, it sends a code to the customer's phone. The customer enters the code, if they say "Confirm," the transaction is completed. If they decline or enter the wrong code, the transaction is canceled. In any case, the bank redirects the customer to your callback URL.

Callback URL and Security Verification

You specified the callback URL when initiating payment. Successful transactions return to OkUrl, failed transactions to FailUrl. However, this redirect comes from the customer's browser, meaning it can be manipulated. Therefore, you must verify in the callback - "did the bank really say successful, or did the customer modify the URL themselves?"

You use HTTP Functions for callback. Create a post_denizbankCallback function in the "http-functions.js" file. This function receives the form data sent by the bank. DenizBank sends many parameters, but the most critical ones are:

Response: Transaction result. If "Approved" it's successful, if "Declined" it's rejected, if "Error" there's an error. Only count "Approved" as successful, everything else is failed.

AuthCode: Approval code. The bank gives this code for successful transactions, you use it when querying or canceling the transaction.

TransId: Transaction ID. The transaction number in the bank's own system. You'll use this ID for future refunds or cancellations.

ProcReturnCode: Detailed transaction code. "00" means successful, other codes indicate different errors. "51" insufficient balance, "54" card expired, "05" card declined, etc.

HASH: Hash calculated by the bank. You calculate the hash with the same parameters and compare.

Be careful when doing hash verification. DenizBank uses different parameters in the callback - typically Response, AuthCode, TransId, and MerchantPass are combined and encrypted with SHA-1. If the hash you calculated doesn't match the HASH sent by the bank, the data may have been manipulated. Reject the transaction, mark the order status as "suspicious".

If the hash is correct, check the Response. If you see "Approved," the transaction is successful. Update order status to "paid," save AuthCode and TransId to the database, send confirmation email to customer, notify inventory system. If Response is another value, the transaction failed. Set order status to "payment failed," show an explanatory message to the customer by looking at ProcReturnCode.

Dual Panel Tracking System

After the connection is complete, you can track your transactions from two places. This system provides both security and control.

Wix Dashboard: General view of orders is here. Which customer bought what, what's the order number, what's the payment status - these are in the Wix panel. E-commerce processes like delivery information, customer notes, cargo tracking are managed in Wix. If you're using Wix Data, all details are in the "Orders" collection. You can update order statuses as "preparing," "in cargo," "delivered".

DenizBank POS Panel: Financial details are here. Which card was used for payment, last 4 digits of card, number of installments, commission amount, transaction time - you see these in the DenizBank panel. The panel address is typically https://sanalpos.denizbank.com.tr or https://spos.denizbank.com. When you log in, all payments are listed in the "Transactions" section. You can view detailed information for each transaction, make refunds, cancel.

These two panels complement each other. For example, when a customer says "I made a payment but the order wasn't created," you first look at Wix - is there really no order? Then you switch to the DenizBank panel - did the payment really come through? If the payment came through but there's no order in Wix, it means there was an error in the callback process. You check the logs and identify the problem.

As a daily routine, check both panels every morning. You see payments that came in overnight at DenizBank, you verify in Wix that these orders were processed correctly. Do the amounts match? Do the order numbers align? If there's a discrepancy, investigate immediately. Sometimes the customer made a payment but closed the page so the callback didn't run - you may need to manually correct these situations.

Transparent and Secure Payment Flow

When the connection is configured correctly, the system works transparently and automatically. The customer enters card information, is redirected to the bank's page, confirms the transaction, returns to your site. This process takes 20-30 seconds. The customer doesn't encounter any complicated steps, just enters the SMS password.

Security layers are arranged as follows: First layer is SSL certificate - all communication is encrypted. Second layer is hash verification - data cannot be manipulated. Third layer is 3D Secure - customer identity is verified. Fourth layer is fraud detection - bank detects suspicious transactions. Fifth layer is callback control - transaction result is verified on the server side.

All these layers work in the background, the customer doesn't notice. For them, the process is simple - enter card information, enter the code in the SMS, complete the purchase. But in the background, five different security checks are being performed. This ensures protection for you, your customer, and the bank.

Definitely keep logs. Record every payment initiation, every hash calculation, every callback. When there's a problem, it's very difficult to find errors without logs. You can use console.log or create a separate log table. Especially log hash calculations - hash mismatch is one of the most common problems.

Follow update emails from DenizBank. Sometimes there are changes in the API, new parameters are added, old endpoints are closed. If you don't make these updates in time, the system can stop working. Regularly update the information in Secrets Manager. Especially changing the security key every 6 months is a good practice.

Don't skip the testing process. DenizBank provides test cards - you can try the entire flow without real money being withdrawn. Use test environment URLs, make a few transactions with the test card. Test the successful scenario, also test the failed scenario. Enter wrong CVV, use an expired card number. Confirm that the system catches errors correctly and shows meaningful messages to the customer.

DenizBank POS works smoothly when connected to Wix with correct processing of API information and complete implementation of security steps. Define Merchant ID, Store Key, Terminal ID, and security keys in Velo backend, calculate hashes correctly, configure callback properly. When the system runs automatically, you can track transactions from both Wix and DenizBank panels and provide a transparent and secure payment flow.