Verification Hash
The Verification Hash can be used as an additional means to validate that the response to your server is originating from the payment gateway. We support two methods for using a hash of submitted data to verify it.
Note:
-
We currently support hashing using two methods - MD5 and SHA256. Both are currently accepted but it is advised to use SHA256 when possible.
-
An authhask key is required to be generated in order to utilize this feature. An authhash value will no longer be accepted when there is no key on file.
Inbound Hash - the merchant creates a hash using a shared secret that we then duplicate and compare to what is submitted.
Outbound Hash - we generate a hash and include it with our outbound call-back that a merchant can use to verify that the request came from us.
Please contact our Support Department through our Online Helpdesk to request enabling this feature for your account.
Upon activating this feature, log into your Administration Area, and click the link for Security Administration.
You will see a new menu option called “Verification Hash”.
The section labled “Authorization Verification Hash” is for inbound requests.
“Response Verification Hash” is for our outbound request to you.
Inbound Hash
Use the radio button to create the hash, and then chose which fields you want to include.
For example, if you check publisher-name and card-amount, then on your system you would first create a string using the values for the variables.
{transaction time}{key}{publisher-name}{card-amount}
When using card-amount, you should use the proper number of decimal points and include currency. (i.e. 10.00 would be included as {USD 10.00})
Transaction Time is a timestamp of when the hash was generated in GMT. Its format is:
YYYMMDDhhmmss
This string is then “Hashed” via MD5 and sent to the gateway in the variable ‘authhash’.
Make sure to send the the transaction time you used in the variable: ’transacttime'.
Note that you may test this flexibly, as it won’t take effect until you enable it in a separate part of Security Administration.
Outbound Hash
This is accomplished by the server generating a unique verification key and returning this key to your server with each transaction. This verification key is generated using a “secret” verification hash you create on the server together with pieces of the transaction data. This string is then encrypted using the MD5 encryption protocol. When your software receives a transaction response, it can recreate this key using the same methodology. If the keys match then the response is legitimate.
For this feature to work, your software must have been designed to support this functionality.
Creating the “secret” verification hash is as simple as selecting the desired action and clicking on the button labled “Create/Change/Delete Verification Hash”. This will either create, change or delete the current Verification Hash. You will then need to copy the generated verification hash into the appropriate portion of your software. This part is critical, as without the same verification hash on both systems it will be impossible to verify the returned key.
The verification key is generated by combining the verification hash together with your account’s publisher-name, orderID, and card-amount to form a single string in the order shown and then performing a MD5 hash function to the string.
For example, assuming the following values:
verification hash: 8d6c15304f86e136ed9dbaaea
and from the transaction data submitted:
publisher-name: pnpdemo
orderID: 2008120816235912345
card-amount: 10.00
The source string would be: 8d6c15304f86e136ed9dbaaeapnpdemo200812081623591234510.00
After applying the MD5 hash function to this string, the resulting hashkey returned to your server would be: 05fa2537460459b167ac946c9239636f
You would compare your generated hashkey to our supplied “resphash” response field. If the keys match, the response is legitimate.