Contis provides a complete PCI DSS Level 1 compliant banking and payment platform for companies that need some or all the elements of a banking solution to bring their own products to market. You can access our platform and services using our Contis APIs.

Sandbox is a development environment in which you can thoroughly test your code before taking your integration live.

Occasional patching and new code testing causes frequent downtime in the Sandbox. As Sandbox is an elementary testing environment it does not support urgent hot fixes.

No. Unlike the Production environment you do not need a VPN connection to access the Sandbox.

In Production environment you run your live system. You can make code changes using Urgent Hot Fixes. Disaster Recovery is also available in this environment.

The card used is genuine and live transactions happen. This Production environment requires a different VPN setup.

Security keys enable you to encrypt and decrypt information sent to you via an API request. You must also connect to Contis using a secure VPN.

No. Each Contis environment has its own set of security keys.

During the initial setup, the keys are shared via SFTP.

A VPN-Disaster Recovery (VPN-DR) form records all the configuration details of your VPN setup. Your data is replicated in another secure location with an IP address, different from the Live or Production. In the event of a disaster, Contis connects your IP to that of the DR site and maintains continuity of the service. Disaster recovery only exists in the Production environment.

Secure File Transfer Protocol (SFTP) is safe method of connecting to a dedicated shared drive for file sharing with Contis. Each API environment has a different SFTP, i.e. one for Sandbox and another for Production.

Follow this guide to set up a secure FTPguide to set up a secure FTP connection to Contis.

A Scheme is an arrangement or build of the API product as per the agreement between you and Contis. A scheme consists of card designs, terms and conditions, and other settings.

The keys that control information flow between your application and Contis. They encrypt and decrypt the information exchanged between your URL and Contis. There are two major categories of security keys – for the physical and virtual cards.

Briefly, the API set up process is:

  1. Scheme set up
  2. SFTP set up
  3. VPN set up
  4. IP whitelisting
  5. API account configuration
  6. Testing

An API request is the method for calling a function held on an API server. The request will contain all the parameters you wish to pass into the function.

An API response is data sent back by a server in response to a call or request you made.

A response from Contis that confirms that your request was successfully handled. In other words, you API call was successful.

A response from Contis that indicates that something went wrong. An error may be caused by unauthorized access, using wrong parameters in a call and more. The error response helps you to understand what went wrong during the call.

Your official URL is added in the Contis database. This is process is known as IP white listing. This enables a secure VPN connection to be made between your URL and Contis. If you call from a different IP address that is not white listed, your call is rejected.

Access to the APIs is rights-controlled, that means you can only access those APIs that you have registered for during your account set up.

A Standing Order (SO) is an instruction to transfer a fixed amount on a daily, weekly, monthly to a beneficiary account. The instruction can be set to make a fixed number of payments at specified time intervals.

The numbered code related to the reason of failure of a specific API call method.

Contis recommends the following best practices to reduce system overload and optimise performance:

  • When you log in to Contis, the platform returns an authentication token. The token persists for 2 hours after the last API request or response. You can save time by calling the sign in method once and reuse the token for subsequent requests.
  • Use standard formats for date, time, Boolean and in any ISO fields exchanged during AP calls – formats can be found in the API reference.
  • Store parameters such as ‘CardProgramDesignRef’, ‘ControlAccount’, ‘MasterAgreementCode’, ClientCode, etc, globally in your web service client.
  • Store log-in parameters such as ‘APIusername’, ‘APIpassword’, ‘HashPANKey’, ‘3DESPINKey’, ‘SecretKey’, ‘FTPUsername’, and ‘FTPPassword’ as global parameters in your system to enable quick change whenever needed.
  • Understand response codes to avoid repeated call failures and to provide useful error messages to your users.
  • Understand all the look-up values before making an API request.

Envelope enables your customers to set aside funds on payday for their recurring weekly or monthly expenses. The Envelope safeguards the funds needed for essential expenses, preventing accidental overspend and automatically pays pre-arranged amounts for important expenses like rent, utilities, and grocery bills.

Your customers have peace of mind that funds in their account sitting outside the Envelope are disposable.

Yes. Within the Envelope Controller you can use API methods that enable you to execute different Envelope-related functions:

  • Reserve funds in an Envelope within an account or release back the fund into account from envelope.
  • Execute Direct Debit payments through an expense envelope.
  • Get or update information about an envelope.
  • Fetch a list of envelopes within an account.
  • Disconnect or delete an envelope from your account.

Contis provides access to a secure FTP location where you can upload and download files. For more information see the Secure FTP set up guide here.

Secure Hash Algorithm used for cryptography during hashing. Examples include SHA-1 and SHA-2. Contis uses the more secure SHA-2 industry standard encryption algorithm.

Head Office Collection Amount (HOCA) is not a trading account but is used to receive and add large volumes of funds or payment. HOCA requires a settlement account.

The funds are aggregated with other funds as a single fund and transferred by a single Standing order.

Clearing House Automated Payment System (CHAPS), is used to make money transfers from one bank to other on the same day.

Banker’s Automated Clearing Services (BACS) is used to make a direct payment from one bank account to the other for high value transactions.

Third party retail banking agent, authorised by the bank to provide selected banking products and service on the behalf of bank.

HOSC stands for Home Office Sanction Check. The Home Office Sanction database stores the names of persons blacklisted by the Home Office Treasury for their involvement in financial crimes, frauds and nefarious activities. Contis downloads the updated file from Home office site on a regular basis.

Your client’s name is screened against the database. If the name matches, it is kept in the suspected list and marked as “pending”. Once a name is verified, it is either given a new status – “Match” or “No Match”. If the status of the application is ” Match”, the application is rejected.

Contis crosschecks a consumer’s or consumer’s identity against an identity database. Based on the verification, a score is given and if it falls within the pass range, then the account is created.
KYC Status Description
Pending The status of the new application for which KYC is underway or not yet complete
Pass The status of the new account application, whose KYC score is within the defined acceptable range
Restricted The status of new application, whose KYC score or value cannot be configured as it is only read only
Refer The status of new application that fails to reach a score value within the defined range of Pass and Restricted
Alert The status of the new application that fails to get all above mentioned status. This KYC status is manually generated by the staff member and has the authority to assign “Alert” status to the new user.
When a new consumer is added, a KYC check is made automatically. KYC is followed by a Home Office Sanction Check (HOSC), which is a criminal background check. These checks can take up to 20 minutes, so the API will not immediately return a response.

The authentication key generated after successful login to the Contis API system. The token is used when to authenticate the user every time a call is made to the Contis server.

A device token is a unique identifier for an individual mobile device. This allows transactions to be restricted to trusted devices only.

Hashing is a method of encrypting confidential data, for example card numbers, sent across networks. Contis uses the SHA-2 industry standard encryption algorithm.


Use the API – Director – AddDirector – to add more directors. The primary directors are added when company is created by the method LimitedCompany – Registration or BasicCompany – Registration or AdvanceCompany – Registration; depending on the type of company you have created.

Use any of the methods – LimitedCompany – Registration or BasicCompany – Registration or AdvanceCompany – Registration – depending on the type of company you want to register. This will activate our Know Your Customer (KYC) and Know Your Business (KYB) processes to verify the company and its directors. Once company is verfied, use the Business – ActivateCompany”) method, to activate the company.

Use P2P API methods SendMoney and AcceptPayment. SendMoney API enables you to send money to a payee. AcceptPayment API enables you to accept a payment from the payer.

Use any of the following methods in the Transfer Controller – RequestPaymentbyAccountRequestPaymentbyEmail, or RequestPaymentbyMobile – to send a payment request to a payer. The payer can accept the request and pay you the requested amount via PayRequestedMoney.

Use the method PayDirectDebitbyEnvelope to automate a payment for weekly or monthly, recurring, essential bills through an expense envelope.

Use the Department – AddDepartment method. If you want to change the head of the department then use method ChangeHOD. The SetLimits method allows you to set up POS, ATM and ecommerce spend limits for a department.

Use the method Department – GetSpecificDepartment to get name, location and description of the specified department. The GetLimits method fetches a department’s spending limits for POS, ATM and ecommerce portal. You can also get list of pending or uncleared payments of the department via method ListPendingCardAuthorizations

You can update personal information like name, date of birth and gender of the director by using Director – UpdateDirectorDetails method. Use the method UpdateDirectorContactDetails to update director’s contact information including email, mobile number and address.

Use the Communication – Enquiry method to generate a specific request or enquiry. The comments in the enquiry are posted to Contis API support service. If you want a call back from service provider, then you must pass the boolean ‘RequestCallBackRequired’ as ‘true’ when you make the API call.

Manage using the following methods:
Use Business – AddConsumers. You must call this method each time you want to add an individual employee, i.e. you cannot add all the employees in a single call. Each employee is assigned to their department based on details provided in the request.


After you sign up to to use Contis’ services Contis Project (or Account) Manager provides you access. Account credentials (username and password) are sent to you via secure FTP.

The Holding account in the Scheme used for transfer of money to and from different sub accounts.

Use the Security API – Login, to log in to your API account. Then call Consumer API – Add Consumers to setup one or more consumer. During the account setup process, you need to pass an eight-digit agreement code which is specific to the card design you want. For more information see our Quick Start Guide.

Once you have created a primary account, use the method Consumer API – AddAdditionalConsumer. This method enables you to add one or more secondary account to your existing primary account. Both consumers – primary and secondary – have the same account number and agreement.

Use the method LoadConsumerAccount. This method enables you transfer money into a specified account. As a client of Contis if you have created multiple consumers with separate account numbers then call this method separately to load funds into each individual account.

No. Once you call the API method AddConsumers, our automated KYC and HOSC checks are carried out in the background. The process takes up to 20 minutes to verify the information provided by the consumer. After verification, the account is created.

Use Transfer – AddRecipient method to link up a consumer account in Contis with a UK or international bank account. Once linked up, use the method BankTransfer to debit money from consumer account in Contis and credit to an external bank account.

Use the Envelope API method ReserveFund to transfer specified amount from the account to the envelope and reserve it for payment of recurring bills. You can only use the funds in the envelope for the purpose for which it is reserved. However, you can release the unused fund from envelope into the account for normal use. To release the fund, use the Envelope API method ReleaseFund.
To manage Direct Debit instructions for your account, use:
  1. DirectDebit – GetSpecificInstruction method to fetch details of a specific Direct Debit instruction.
  2. ListInstructions method to get list of Direct Debit instruction for an account.
  3. CancelInstruction method to cancel a specific Direct Debit instruction.
  4. GetInstructionForEnvelope method to fetch Direct Debit instruction for an envelope in an account.

API method Account – ChangeTerms enables you to change the terms of your agreement package.

There are many limits applicable to an account, therefore you must use more than one method to know all the limits.


Genuine payment card information cannot be used in the Sandbox. Instead, Contis provides test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment.

The keys used are:

  • PAN_TDES_KEY for encryption of PAN
  • PAN_TDES_IV for decryption of PAN
  • CVV2_TDES_KEY for encryption of CVV2 during Retrieve CVV2 function call
  • CVV2_TDES_IV for decryption of CVV2 Virtual Card

Three security keys are used. They are:

  • Hash Pan Key for PAN hashing
  • 3DES PIN IV Key for decryption of the PIN
  • 3DES PIN Secret Key used for decryption of the PIN

A hash card number is an encrypted (hashed) version of a 16-digit card number.

Yes. Use the method Card API – AddVirtualCard. A random virtual card number is generated and linked to the debit card. The request returns an encrypted virtual card number. This number can later be passed on to your consumer.
Use the Card API method – GetVirtualCardCVV to get 3-digit CVV number.
Use the GetActivationCode method to get the three-digit activation code. Pass this code as a parameter in the ActivateCard method. The card is activated.
You must call the Card API – ViewPin to get four-digit PIN in encrypted format.
Yes. Use the method ConfigureCardFunction to disable or enable the card for:
  • POS purchase.
  • Cashback on a purchase.
  • Payment at fuel station.
  • Contactless or an international transaction.
Use GetSpecficCard method to get the name of the consumer, hashed card number, account number, status of card and information whether card belongs to primary or secondary consumer. You can also view date of issue, activation and expiry of the card.
Use the method Card – SetCardAsBlock. The card is blocked immediately to prevent its misuse. Next, use method SetCardAsLost. Only active and inactive cards can be set as lost.

If the lost card is not found, then use the method Card – SetCardAsLostWithReplacement. The card is marked as lost permanently and blocked. A new card is issued in the place of the lost card.

If the lost card, which you had blocked earlier, has been found then you can now unblock the card by using the method Card – SetCardAsNormal.


Use the API – Mobile/AddQuickBalanceAccount. In the request, provide the account numbers you want to link up with your mobile device.
Use either of the two methods – MobileLogin or LoginMPIN. You must provide username and password in the MobileLogin method to log into your account. In the LoginMPIN method, you must use Mobile PIN to log into your account.
Use either of the methods – RegisterMPINByLoginDetails or RegisterMPINByCard. In the method RegisterMPINByLoginDetails, you must provide username and password to setup the mobile PIN. In the method RegisterMPINByCard, you must provide card and consumer details to set up the mobile PIN.
First, use the API – Mobile/DeleteLoginDevice – to disconnect your account from the current mobile device. Then call the API – Mobile/AddLoginDevice – to add the new mobile to your account.
Use the API – Mobile/ListConsumerFeatures . You get features of the account, along with account number and the sort code.
Use the API – Mobile/ChangeMPIN – to change the MPIN. Use the API – Mobile/DeregisterMPIN – to delete the MPIN.
Use the API – Mobile/GetQuickConvertedAmount. You get the converted amount in the desired currency at an exchange rate that exists on the date and time of execution of the API.

Junior Consumer

Yes. You can register an account of a child, aged 13 to 18 years, as a junior consumer, managed by the guardian. Use the API – Consumer/AddJunior – to register a junior consumer and open the account.

Sole Trader

Use the API – SoleTrader/Registration to register your business in the business portal. Once registered, your personal details and address in verified through automated KYC process. On successful verification your business account is created.

Cardless (AccountOnly)

Yes. Use the API – Cardless/AddConsumers to create primary and secondary accounts without a payment card. If you want to add secondary consumers, then use the API – Cardless/AddAdditionalConsumer.


Yes. Use the API – SSO/Register to register consumer’s unique identifier (provided by Contis), username and password with the SSO service. In response you get ContisUniqueReferenceID as one of the response parameters. Input the ContisUniqueReferenceID with username and password of the consumer as request parameters in the API – SSO/Authenticate. You get a security key and token as response. Use them to authenticate your API access through SSO.


To manage an envelope in your account, use the following methods: