Hash MAC-Authentication in Request
To protect against unauthorised manipulation of your payment transactions, the Computop Paygate checks with the aid of a Hash Message Authentication Code (HMAC) whether your payment enquiry is authentic and has not been manipulated. For this purpose you transfer an HMAC value to the Paygate with each transaction in the parameter MAC.
Background: Unlike the HMAC procedure every encoding method has the disadvantage that there is a matching decoding method. Anyone who possesses the correct key or cracks the encryption can read and manipulate the data. Therefore, no encryption method is ever 100% safe. In the case of the Hash procedure, conversely, decoding is impossible, so that a Hash value can confirm the authenticity of the message free of doubt.
The Computop Paygate uses a Hash Message Authentication Code (HMAC) to check the authenticity of your payments. The HMAC SHA-256 algorithm is used with a 32-digit key length (256 bits) for this. The additional password makes the HMAC procedure particularly safe.
The following table describes how you can generate the Hash values for your payment:
Please log on to Computop Helpdesk, which supplies you with the Hash password.
The HMAC value is calculated with the aid of the password and several parameter values. For the calculation, the parameters PayID, TransID, MerchantID, Amount and Currency are used and separated with asterisks:
Notice: If a transaction does not support all of these parameters, you can simply omit the missing value.
For example, there is no PayID yet with the first transaction, so you do not have to transfer this. The PayID is a component of the Hash calculation in subsequent transactions:
Use the HMAC SHA-256 algorithm, which nearly all programming languages support, in order to calculate the Hash value with the password and the parameter values.
Use the MAC parameter to transfer the hexadecimal encoded Hash value to the Paygate with each transaction in the encoded data field.
Check your implementation
You can find an easy application to check the implementation of your MAC calculation here: https://computop.com/paygate-test
The application also allows to play with our Paygate API - just use your MerchantID and Blowfish-Password that you already have received.
Notice: Note that the MAC parameter is obligatory for all subsequent transactions (e.g. capture, credit note) if it was transferred with the first transaction (e.g. authorisation).
Important: The Paygate rejects transactions with wrong or missing HMAC values promptly without further processing, because this is an indication of hacker attacks. Therefore, transactions which the Paygate rejects with the error codes 20100044 or 20120044 do not appear in Computop Analytics.
Important: The MerchantID used in HMAC calculation must be identical with the MerchantID provided in plain request (parameter MerchantID). Handling of "MerchantID" is case-sensitive - "YourMerchantId" and "YourMerchantID" must not be mixed up.
Listing with HMAC examples