Government Payment Gateway (GPG)

The Government Payment Gateway is a Software as a Service (SaaS) based platform from MITA. It allows the Government of Malta to accept online payments. This is a core eGovernment shared service, acting as a centralised payment mechanism to provide the public with a consistent and uniform experience when paying online. The GPG is a provider-initiated online payments model. The payment page is centrally hosted within a PCI-DSS certified data centre which allows a high level of security and meets industry standards. The platform offers transaction processing, SOAP or REST API integration, retrieval of payment status, refunds, settlement of payments, 3D Secure enabled transactions, card wallets and a back-office transaction management portal. At present there are more than 150 merchants. In 2018, more than 659,000 transactions, worth in excess of €103m, were processed through the platform.

Introduction

GPG is an eGovernment Shared Service acting as a centralised payment service that meets the highest industry security levels to provide citizens with a consistent and uniform experience while effecting payments online. GPG makes use of the provider-initiated online payments model.

When using this model, transactions are processed through a singular, centrally Hosted Payment Page (HPP). This method of payment ensures that Service Providers have no access to credit/debit card details submitted by citizens during an online payment process. The HPP is certified to be Payment Card Industry Data Security Standard (PCI DSS) compliant, a requirement mandated by all banks, and is the standard method for the processing of online payments through Government systems

Integration to the service is facilitated by the provision of an Application Programming Interface (API) that provides a line of business applications and websites with the necessary functionality to:

Process an online payment – Allow clients to enter credit card details and complete a transaction.
Retrieve payment details – Verify payment by retrieving the status and all relevant information about the payment.
Refund processed payments – Refund functionality can be implemented to revert the funds back to the clients account.
Settle Payments – Settle Pre-Authorised Payments so that the funds are withdrawn from the clients account once a condition is met.

To note that the payment page can also be invoked either in English or in Maltese by passing EN or MT as required. Refer to Integration Guide for Language Parameter.

The payment is now also responsive to fit all kinds of devices be it desktop, tablet or mobile. This will encourage portability and uptake of the service.

For more information on how to implement the above functionality, kindly refer to the Knowledge Base in the Reporting Portal.

Different Types of Transactions

GPG provides two main types of transactions that can be used in the Provider-Initiated Online Payments Process Flow. These Include:

Sale

When using the Sale as a payment method, the funds are immediately withdrawn from the client’s bank account and deposited into the Merchant’s bank account, as long as the payment status is successful. Service Providers can still refund the payment should the need arise either through the GPG reporting portal (permission needs to be granted for such functionality by raising an eRFS as explained in section 8) or through direct integration of the refund functionality.

Pre-Authorisation

When using the Pre-Authorisation, the funds are not immediately withdrawn from the client’s bank account. Instead, funds are withheld by the bank until a specific condition is met. During this period, the client cannot make use of the withheld funds as these are unavailable for withdrawal. The Service Provider can then settle (complete the transaction and withdraw the funds) or cancel the payment (release the funds and make them available back to the client) according to the business needs.

When using Pre-Authorisation, the bank will release any withheld money from the client’s bank account after 7 days’ pass (including weekends and public holidays) from when the transaction was originated. Any settlements attempted after this 7-day period will be unsuccessful and the transaction will have to be initiated once again by the client. This is to ensure that the money is not withheld indefinitely by a Service Provider.

To note that MITA is currently rolling out 3D Secure on all merchants, with the plan being to enable 3D Secure by mid-2018. As a general rule, all new merchant accounts will be 3D Secure enabled and hence new merchant accounts with the bank need to also be specified to be 3D Secure ready to avoid any delays.

3D Secure

The GPG also supports 3D Secure with the following colour coding used in the reporting portal:

Green () – 3D Secure Fully Processed and hence transaction went through a full 3D Secure authentication.
Red () – 3D Secure Eligible hence card used during the transaction is issued by a bank that supports 3D Secure but for some reason, the client’s bank bypassed the 3D Secure process. Merchant is not liable for any fraud.
Black () – 3DS Not Eligible as the card issued by a Non-3DSecure supported Bank.
Orange () – Enrolled thus user closed the page or took too long to complete the 3DS process.

Customization of inline Frame

Inline frame payments allow providers to keep end users with a seamless experience when conducting online payments by hiding most of the GPG look and feel and not redirecting the user to a different website. It is strongly recommended to make proper use of the style sheets provided to developers in order to customize online payments page to fully integrate the HPP to the native look and feel of the Provider’s website.

MITA Recommends that the iFrame is set to 100% by 100% to benefit from the responsiveness of the payment page but at least it has to be 800px wide, and with scroll bars enabled.

GPG Reporting

Once the integration with GPG is complete, Service Providers will have the option to request access to the GPG reporting portal to monitor incoming payments processed through GPG. This portal can be accessed through the following URL: https://apsp.biz/GPG/MITAPortal/Login.aspx

This portal is also PCI DSS compliant which guarantees that no sensitive information is given to anyone granted access to this portal. All the information is disseminated through this portal is strictly for reporting and reconciliation purposes and no direct access to client’s bank accounts is being granted.

From this portal, one can monitor all the transactions being done through the merchant account. Such Transactions will be accompanied by a status indicating the payment status (accepted, rejected, error etc.…). This portal can be used for both the test and live Merchant Accounts. Furthermore, authorised users can also perform refunds on specific payments.

NB: MITA is in no way responsible for reconciliation activities to any Government or third party entity. MITA shall only provide access to reporting data provided by GPG, however, the use of such data for reconciliation is the Provider Account’s own responsibility.

Requesting Access to GPG Reporting

To request access to this portal, kindly raise an eRFS with MITA Service Call Centre for the creation of an Account for GPG reporting while specifying the provider ID and Provider name of the account to be accessed together with the username of the account to be created.

MITA Service Call Centre can be reached by either calling 25992777 or by sending an email on callcentre.mita@gov.mt

The following eRFS’s can be raised according to the business needs:

GPG: Merchant Management specifying: Creation, Deletion or Modification in the eRFS
GPG: User Management specifying: Creation, Deletion or Modification in the eRFS

Registering for GPG Service Provider Account (Test and Live)

The first procedure that needs to be done to integrate with GPG is to create the Merchant Accounts with the bank/s of your choice (mainly BOV and/or HSBC). Such merchant accounts tend to take a considerable amount of time to be created, thus it is highly advised to initiate this process as early as possible.

Once the Merchant Account details are available from the bank, the final step is to create a Test and/or Live Provider Account on GPG. A Service Provider representative together with the supplier must download the respective registration form from below to be filled in and raise an eRFS with MITA Service Call Centre on 25992777 or callcentre.mita@gov.mt. In case more than one Provider Account for a unique Service is required, a registration form must be provided for each separate Provider Account.

It is essential to always ask the banks for a 3D Secure enabled account.

Other Resources and References

For any other queries contact gpg.mita@gov.mt