Frequently Asked Questions

This is a collection of frequently asked questions (FAQ) provides brief answers to many of the common questions we are asked about CityPay’s products and services. It also provides links to more detailed information on this website.

Merchant Control Panel (MCP) FAQ

1.1 I have locked myself out of the MCP, how do I reset my password?
On the MCP home page under the area where you enter your login details, there is a blue “Forgotten Password” link. This will generate a token that is e-mailed to the address stored against the client ID and the user name. This e-mail can not be forwarded.
1.2 What is CityPay's MCP password policy?

Your new password must not repeat any of the last 8 passwords and must not contain either your client id or your user name.
Your password must also complete the CityPay password security guidelines which ensures that a password must fulfil the following requirements:

  • Must be longer than 8 characters
  • The password is not a word found in a dictionary (English or foreign)
  • Must be a strong password (See below)

Password Formulation
A weak password is deemed as being: a common usage word such as Names of family, pets, friends, co-workers, fantasy characters, etc. Computer terms and names, commands, sites, companies, hardware, software; Birthdays and any other personal information such as addresses and phone numbers Word or number patterns such as aaabbb, qwerty, 123321, etc. Any of the above preceded or followed by a digit i.e. (secret1, 1secret, etc.)

A Strong Password is deemed as having the following characteristics: Contains both upper and lower case characters, Has digits and punctuation characters as well as letters e.g., 0-9.!@#$£%^~|{}[]<>, Are at least 8 characters long and Is not a word in any language, slang, dialect, jargon, etc.

1.3 When trying to login to the MCP I am getting a "Session Compromise" message, why is this?

CityPay have a prevention filter that prevents a login session from being accessible from multiple public IP addresses. This has been added to prevent the possibility of an attacker stealing a session token and hijacking your session account. This will be displayed if you have not logged out correctly from one IP address prior to logging in on another. The previous session will be cleared after 30 mins by our systems.

1.4 What is a MOTO transaction?

A Mail Order, Telephone Order transaction is a transaction made when the cardholder is not physically present. MoTo transactions are typically keyed into a physical or virtual terminal.

1.5 What is an E-Commerce transaction?

This is when the sale and purchase transaction is completed electronically, typically over the internet.

1.6 How do I generate a report?

Once you have logged in to the MCP using the details provided to you, navigate to the tab All Available Reports and click on this. You will then be presented with a list of reports that can be used with a description of each ones function supplied. Selecting the required report, you will be presented with a page that requires certain parameters to be selected or completed. For example, the Merchant ID (MID) the report is required on, Date range and transaction result. Once the parameters has been selected click on Display Results.

1.7 Can I print a report?

Yes. You will first need to generate the required report. Once the report is displayed there is a drop down box on the top right hand side of the report that says “Export-As”
Select the type of export you would like, the common hoice is Excel Worksheet. Then use File>Print.

1.8 What do the different fields on a report mean?

Depending on the report generated the common fields displayed in the report are as follows:-

  • List no.= The number of the transaction as displayed in the current report
  • MID = CityPays Merchant number 
  • TransNo = This is a unique number issued to each transaction for that MID
  • Date = This is the date that the transaction was processed (please note that a pre-auth transaction it will be updated with the latest instruction ie. the date it was completed.)
  • Time = This is the Time the transaction was processed (please note the default setting in reports is to display this as GMT)
  • Identifier = This is a field that is supplied by yourself which should help you identify the transaction.
  • Type = This is the type of transaction processed typical values are MOTO, E-com,and CA.
  • Result = This is the result of the transaction, typical values are Accepted, Declined, Rejected, Cancelled and Auth Req.
  • Mode = This whether a transaction was processed in Live or Test.
  • Card Number = This is masked card number used to make the payment.
  • Authcode = If the result is accepted then a series of numbers or letters and numbers will be displayed, This is supplied by the authorising bank, ( Please note that test transactions will be displayed with an authcode of A12345)
  • Amount = The value of the transaction processed.
  • Currency = The currency that the MID is processing in.
1.9 The times in the reports are in GMT how can I change this?

When you login in to the MCP on the default page you will have an Area on the right hand side that says “Login Details” next to this is a link called change in brackets. If you click on this you will be provided with a new page titled Change my Settings. If you change the Time Zone using the drop down box from GMT to your local area this will change the Timezone the reports are displayed in.

Please Note that transactions are sent for settlement using GMT so a transaction processed at 23:02 GMT will not appear on a report that is in BST during the months of June to October run for the same date period. It will appear on the next days report.

1.10 A transaction result is "referred", what does this mean?

This means that the bank has referred the transaction, which results in a declined payment on the internet. The bank does not tell us why the transaction has been referred, but it is normally due to:

  • a request for further information, such as authorised signature or card holder identification,
  • frequent use of the card within the last 24 hours
  • a random referral.
  • If the customer calls the card issuer, you may be informed that they are waiting for an authorisation code from the store. As this is an online purchase, an authorisation code CANNOT be obtained and sent to the card issuer to authorise the transaction.

We would therefore advise you to try again later, or to use a different card.

1.11 A transaction has a result of "Not Attempted" what does this mean?

Not attempted means for whatever reason the payment was not attempted, this can be down to a number of reason ie . CV2 not supplied, card expired etc.

1.12 A transaction has a result of "Waiting Authorisation", what does this mean?

If a transaction requires authentication using 3-D Secure, it will be marked as 050 waiting for authorisation. Should the transaction never be authorised i.e. the user decided not to continue with the transaction then the transaction will remain with the status set. This value will help to define whether authorisation was not fully processed at the time of the transaction.

1.13 How do I know if a transaction has been settled?

You will need to find the relevant transaction using the Transaction Search. Then click on the yellow arrow icon on the right hand side of the transaction and then click on the View Transaction Details link on the right hand side.Scroll down to the section Settlement Details

  • BatchNo: The Number of the batch that this transaction is in that was sent to the acquiring. The total batch can be viewed using the Merchant Batch Report.
  • Status:     This indicates whether the transaction is still open or settled.
    • Open = transaction not yet sent to the Acquiring Bank
    • Settled = transaction has been sent to the acquiring bank.
  • TX info: This field is normally empty, although a number of airlines use this field for the booking reference number etc.
1.14 How can I search for a transaction?

There are two ways for searching for a transaction

  1. If you know one of the following details you can then use the “Transaction Search” link in the top right hand corner
    • Identifier
    • Transaction Number
    • Last four digits of the card used
    • Amount.
    • Authorisation Code
    • Masked card number – this needs to be entered as the first 6 digits of the card number and the last 4 digits then *’s for the numbers in between. The total number of digits entered including the  *’s needs to be the exactly same as the full card number therefore a 16 digit card number would require six *s and a 18 digit card would require eight *s.  For example a 16 digit card should be entered as 400000******0002.
  1. If you only know the date of the transaction then you will need to use the “Merchant Transaction Report“.
1.15 How do I perform a refund through the MCP?

In order to refund a transaction:-

    1. Use the search link and enter the necessary criteria, ie. last 4 digits of the card or transaction number to find the original transaction.
    2. Either double click the transaction or click once on the icon on the left of the line to drill down to the transaction details.
      (This will enable you to confirm that the transaction selected is the correct one and to proceed with the refund).
    3. Click on the link ‘Refund this transaction’ underneath the transaction details.
    4. The secure refund terminal will enable you to enter the amount of the refund (which can be any amount up to and including the full amount. Please note that the amount will require a decimal point now ie. 1.23 You may change the ref/identifier of the refund as required.
    5. Click on the ‘Confirm Refund’ button to proceed. The next page will allow you to review your refund.
    6. Click on ‘Process Refund Transaction’ to complete the refunding.
1.16 What is a LUHN Check?

A LUHN check will validate the card number input against our records. If this fails then the card number you have input is not valid.

1.17 Why does the MCP sometimes show badly formatted pages?

This is caused when your browser caching is not clearing properly,

  • On Windows, you can manually refresh by using Ctrl+F5.
  • On a Mac use the “Clear Browser Data”.
Questions about this page? Please email support CityPay Support at

Merchant Account and Customer Queries FAQ

2.1 How do I change what appears in the cardholder credit card statement?

The narrative that appears on the cardholders’ statement is controlled by your acquirer (Bank). If you need to change this, you will need to contact your Acquiring bank direct and ask them to make the appropriate changes.

2.2 Does CityPay check for duplicate transactions?

Yes, CityPay checks each transaction as it arrives for processing against previously processed transactions with the aim of preventing duplicate transactions. Each MID is configured with a duplicate checking window during which duplicate transactions are rejected if all the properties of a transaction are the same. The duplicate checker analyses the internal properties of a transaction including the card, merchant ID, identifier, amount, AVS details, and remote address. If a transaction request results in a communications problem or a configuration problem, the transaction is cleared from the duplicate list to allow consequent transactions through.

2.3 How long is a duplicate transaction checked for?

Checking for an individual duplicate transaction will time out once a previously configured period has elapsed. After this period a duplicate transaction will be allowed to process. This setting can be configured per merchant account with the default set to 5 mins. Should you wish to change this setting please contact CityPay Support who will arrange this on your behalf. The timeout period can be set from 5 mins to 2880 mins (2 days).

2.4 How do I prevent a transaction from being picked up by the duplicate checker?

By changing one of the properties of the transaction, the duplicate checker will allow the transaction through. Such as an amendment to the identifier or processing from a different IP.

2.5 Can I disable duplicate checking?

You may disable duplicate checking entirely against your merchant account. Contact CityPay to perform this or to reduce the timeout period.

2.6 I am getting the error "T006 Transaction Error:3D Secure Authentication Required", what does this mean?

A T006 error is returned when a transaction has not been fully 3D secure authenticated.Merchants deploy 3D Secure authentication to try and prevent online fraud.

3-D Secure is a protocol used as an added layer of security for online credit and debit card transactions. It was developed by Visa to improve the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by Mastercard, under the name MasterCard SecureCode. 3-D Secure should not be confused with the Card Security Code (CV2, CSC) which is a short numeric code that is printed on the back of the card.

If you have not registered your card for 3D Secure your bank should prompt you to enroll online when you are trying to make a payment through a merchant that support 3D Secure. After enrollment you would be issued with a password which you could use for future online transactions. If you’re not invited to enroll by your bank, please contact them for assistance.

If your card is enrolled for 3D Secure and attempts are being made to authenticate this card. You will need to contact your card issuing bank for them to confirm why authentication is not being completed.

2.7 What does error message 090 mean?

Error Code 090 means that the transaction has been declined by your bank. We are not informed as to the reason and you will need to contact your card issuing bank for confirmation as to the reason.

2.8 What does error message 096 mean?

Error code 096 means the postcode does not match. This means that the postcode that is being entered does not match the one stored by the card issuing bank. You will need to contact your card issuing bank and verify the postcode they have stored. (this is entered manually at the bank and can be subject to human error) or alternatively use the postcode that is on the bank statement for that card.

International postcodes can not always be handled by acquiring banks and the response will therefore also be declined.

Ireland does not have any postcodes so if you supply AB in the PostCode field this normally resolves the issue.

2.9 Why have you declined my transaction when my bank has confirmed that its been authorised?

Merchants can add additional levels of security to their accounts and when a bank authorises a transaction they will also respond back with additional details with regards the CV2, AVS Address and AVS PostCode matching. Depending on the settings on the merchant’s account these authorised responses can then be either marked as accepted or declined. If a transaction is marked as decline then our systems sends back a cancel instruction to the bank to cancel the authorisation code. In these circumstances no funds will be deducted from your account but your bank may not have acted on our cancellation instruction and have these funds marked as pending payments. You will need to contact your card issuing bank if you want clarification that these funds have not actually been deducted and for them to be released.

2.10 When being directed to the Verified by Visa or MasterCard Secure I am presented with a blank box/screen?

Either your Browser options, network firewall or your local machine is filtering out the iframe which embeds the 3DS page. To confirm this please got to which will either show “I have been loaded by an iframe”, “Your browser cannot show iframes” or a blank screen. If possible please also let us have the html source of this (Ctrl-U) which would also be useful if it is filtered by a firewall.

2.11 My card details are being retained on your payment page how can I stop this?

It is your web browser that is retaining your details not CityPay. This can be prevented using the following instruction for your browser.

Internet Explorer.
Tools – Internet options – general tab go to the Browsing History section – Delete button – enable Form Data – Delete – Apply.

Tools – Options – Privacy – Use custom Settings for history – un-tick remember search and form history – ok.

Spanner Icon – Options – Personal Stuff – Autofill Options – un-tick the box the Enable fill – Close

Questions about this page? Please email support CityPay Support at

Technical FAQ

3.1 How does the payment cycle work?

CityPay processes multi-currency credit and debit card transactions through leading financial institutions without the need for Merchants to invest in their own dedicated costly infrastructure and the added burden of having to install, test and maintain yet another system.  To process credit and debit card transactions online Merchants need  to consider the following:

Key requirements

Merchants wishing to accept credit and debit cards on their website, need to firstly apply for an Internet Merchant account from an Acquiring Bank (list of approved banks with CityPay are listed on our partner page).

Merchants would then need to select a Payment Service Provider (PSP) such as CityPay and integrate their website and shopping cart as required using an appropriate API (See CityPay’s API documentation for further details)

Merchants would also need a SSL (Secure Socket Layer) certificate for their webserver unless they use a secure hosted form such as PayLink.  

Authorisation Process

The card details are entered by the Cardholder on either a secure hosted form or Secure server then securely submitted to CityPay over SSL for authorisation. The CityPay Gateway makes a number of checks and if accepted the transaction request is passed through to the Acquiring Bank, who is responsible for connecting through the card scheme infrastructure to the Issuing Bank.

If the transaction is approved, an authorisation number is returned back to the website through the Acquirer and CityPay and the authorisation is now complete. If the transaction is declined a failed message is returned to the website.

CityPay’s system records detailed information on every transaction, which is made available in real time to the Merchant over a secure link across the Internet. The above authorisation process takes between 3-5 seconds.


Every transaction is automatically marked for settlement at 00.00 GMT unless the account is set for pre authorisation only in which case a further complete or cancel instruction is required from the Merchant.  The authorised transactions are sent to the Acquiring Bank for settlement over a private connection.

Transfer of funds

Finally, the Acquiring Bank settles funds into the Merchant’s business account.  The payment process from initial authorisation to settlement takes on average 3 working days.

3.2 How to prevent double clicks?

On web pages a double click can be prevented by adding JavaScript on the submit button such asonclick=”this.disable=true”. This will prevent immediate clicks but is reliant on the browser to perform the operation and for the user to have JavaScript enabled. A better but more advanced approach is be to use threading on the server side that prevents multiple requests from processing beyond the e-commerce site. A session will check the status of the processing as it is being processed and once a response returned, the session is updated with the payment result. Please see the CityPay Paylink pages for an example of this happening.

3.3 I am getting T001 errors when I process?

T001 errors are the error code for a duplicate transaction, please see duplicate transactions above and here .

3.4 I am getting P007 errors when I process?

This means that your payment request is not from an accepted source. If you are a customer please contact the merchant you are attempting to pay direct. if you are a client of CityPay please provide us with the URL.

3.5 I have not received any orders for sometime now is there any issues?

Please enquire with who will be able to review activity against your service

3.6 I am using CityPay's Batch Processing Facility, is it possible to obtain the results of the Batch Processing automatically?

Yes. This can be done automatically via a CityPay API or reviewed through CityPay’s Merchant Control Panel.

3.7 Merchant account is set to live but transactions are still being processed as test?

Please ensure that you are sending in the value “test=false”. If no value is sent it will default to a test transaction.

3.8 I have received "The file type mime-type was not accepted by the server" error message when trying to send you a file?

The secure exchange only allows files of certain types to be uploaded, currently the accepted file list is:



Mime Type













Adobe PDF



Microsoft Excel



Please ensure that the file type uploaded is covered in this table.

3.9 I am getting T005 error?

When a cardholder completes the authentication process, their Issuing Bank will sign the PARes. When the PARes is received by the MPI, the signature is checked to ensure that it is valid for that Issuer.

If the signature is missing or is not valid, T005  3D Secure Authentication Error – Caused when the PARes fails digital signature validation. Cardholders should try another form of payment –

response will be returned. 

An invalid signature can be a sign of suspicious activity by the cardholder. If it occurs for more than one cardholder with that specific Issuer or ACS, it could indicate that the Issuers ACS is experiencing an issue.

Questions about this page? Please email support CityPay Support at

Shoppers FAQ

4.1 What is Paylink ?
Paylink is the secure hosted form provide by CityPay Limited.
4.2 Who is CityPay Limited?
CityPay is a Payment Service Provider and ISO. CityPay has been established since 1999 and is accredited with most UK acquiring and some European banks. We can accept Visa and MasterCard, American Express, Diners, Laser, JCB and all the major debit cards.
4.3 I have not received confirmation of my order.

Please contact the online retailer from whom you placed the order with.

The online retailer is responsible for all aspects of your order and therefore we recommend you contact them direct. Their contact details should be displayed on their website.  CityPay only processes the payment on behalf of the online retailer and  we do not hold any information with regards to your order. 

4.4 How do I know if my payment was successful?

When you submit your payment details through CityPay’s secure hosted form Paylink, we submit these details to your Card Issuing bank and request an authorisation. Depending on the result of this request you will be displayed a Successful or a Declined message on the screen.

Please note that authorisation of your payment does not guarantee acceptance and fulfilment of your order from the online retailer. It is the online retailers responsibility to confirm your order.

4.5 How do I cancel my order and get a refund?

Please contact the online retailer direct. The online store is responsible for all aspects of your order. CityPay only provides the online retailer the ability to process payments securely over the internet and are not authorised to cancel any orders or perform a refund.

4.6 My transaction is being declined because the postcode is incorrect.

The postcode entered needs to be the one registered for the card statement address and not where you wish the goods to be delivered or the billing to be sent.

The postcode that you are entering does not match the one stored at the card issuing bank. You will need to contact your card issuing bank and verify the postcode they have stored. (this is entered manually at the bank and can be subject to human error.) or alternatively use the postcode that is on the bank statement for that card.

International postcodes can not always be handled by acquiring banks and the response will therefore also be declined.

Ireland does not have any postcodes so if you supply AB this normally resolves the issue.

4.7 Which payment methods do you accept?

CityPay is able to process most common international and domestic card types, however the online retailer can choose which card types they wish to accept.
If your card type appears not to be accepted please contact the online retailer direct.

4.8 Can I pay by another method?

CityPay can only accept online payments made over the internet, therefore if you wish to pay by cheque or provide your card details over the phone, you will need to contact the online retailer direct.

4.9 I am unable to contact the store what should I do now?

Unfortunately if you are unable to contact the online retailer then CityPay suggests that you contact your card issuer and enquire what your consumer rights are.

Questions about this page? Please email support CityPay Support at