Hash MAC-Authentication in Request

To protect against unauthorised manipulation of your payment transactions, the Computop Paygate checks with the aid of a Hash Message Authentication Code (HMAC) whether your payment enquiry is authentic and has not been manipulated. For this purpose you transfer an HMAC value to the Paygate with each transaction in the parameter MAC.

Background: Unlike the HMAC procedure every encoding method has the disadvantage that there is a matching decoding method. Anyone who possesses the correct key or cracks the encryption can read and manipulate the data. Therefore, no encryption method is ever 100% safe. In the case of the Hash procedure, conversely, decoding is impossible, so that a Hash value can confirm the authenticity of the message free of doubt.

The Computop Paygate uses a Hash Message Authentication Code (HMAC) to check the authenticity of your payments. The HMAC SHA-256 algorithm is used with a 32-digit key length (256 bits) for this. The additional password makes the HMAC procedure particularly safe.

The following table describes how you can generate the Hash values for your payment:




Please log on to Computop Helpdesk, which supplies you with the Hash password.


The HMAC value is calculated with the aid of the password and several parameter values. For the calculation, the parameters PayID, TransID, MerchantID, Amount and Currency are used and separated with asterisks:


PayIdReferenced PayIdMay be empty, e.g. for creating an initial payment process or risk management request; is used with subsequent requests like capture/refund.
TransIdYour transactionId to reference / identify your requestYour own reference to identify each request / payment process.
MerchantIDYour MerchantID assigned to you by ComputopYour MerchantID identifiying this request.
AmountAmount in smallest unit of currency, e.g. 123=1,23Amount of this request; may be empty if not used, e.g. for status inquiries.
CurrencyCurrency of payment process in ISO 4217, e.g. EUR, USD, GBPCurrency of this request; may be empty if not used, e.g. for status inquiries.
YourHmacPasswortYour HMAC-password assigned to you by ComputopYour HMAC-password assigned to a specific MID; if you have different MIDs you will have different HMAC passwords, too.

Notice: If a transaction does not support all of these parameters, you can simply omit the missing value.

For example, there is no PayID yet with the first transaction, so you do not have to transfer this. The PayID is a component of the Hash calculation in subsequent transactions:

Samples for MAC calculationFormulaResult
without PayId, with amount/currency
HmacSHA256("*TID-4453732122167114558*YourMerchantID*1234*EUR", "mySecret")
without PayId, without TransId, with amount/currencyHmacSHA256("**YourMerchantID*1234*EUR", "mySecret")1427748D983478080F22BE0878BD99AF7BE3E1C4B19C07AFD1B372BA552ADC08
with PayId, without amount/currencyHmacSHA256("fe3f002e19814eea8aa733ec4fdacafe*TID-4453732122167114558*YourMerchantID**", "mySecret")6ED0CFDCE92CE13399552C4221B44E5B036DE943D7F84E33D1E73DF9871AE7C8


Use the HMAC SHA-256 algorithm, which nearly all programming languages support, in order to calculate the Hash value with the password and the parameter values.


Use the MAC parameter to transfer the hexadecimal encoded Hash value to the Paygate with each transaction in the encoded data field.


Check your implementation

You can find an easy application to check the implementation of your MAC calculation here: https://computop.com/paygate-test

The application also allows to play with our Paygate API - just use your MerchantID and Blowfish-Password that you already have received.

Notice: Note that the MAC parameter is obligatory for all subsequent transactions (e.g. capture, credit note) if it was transferred with the first transaction (e.g. authorisation).

Important: The Paygate rejects transactions with wrong or missing HMAC values promptly without further processing, because this is an indication of hacker attacks. Therefore, transactions which the Paygate rejects with the error codes 20100044 or 20120044 do not appear in Computop Analytics.

Important: The MerchantID used in HMAC calculation must be identical with the MerchantID provided in plain request (parameter MerchantID). Handling of "MerchantID" is case-sensitive - "YourMerchantId" and "YourMerchantID" must not be mixed up.

Listing with HMAC examples

Request without PayID:

MerchantID=YourMerchantID&TransID=100000001&Amount=11&Currency=EUR&URLSuccess=https://www.shop.de/ok.html&URLFailure=https://www.shop.de/failed.html&OrderDesc=My purchase

String for MAC generation:


Request with MAC (Secret: "mySecret"):

MerchantID=YourMerchantID&TransID=100000001&Amount=11&Currency=EUR&URLSuccess=https://www.shop.de/ok.html&URLFailure=https://www.shop.de/failed.html&OrderDesc=My purchase&MAC=0A125E070BD4D7AE614BCB2D5A48FB80E1C4441E262A1024AE7F2A1819052A6F

Request without TransID:


String for MAC generation:


Request with MAC (Secret: "mySecret"):


  • No labels