Hash HMAC-Authentication in Notify
The shop must verify that a notification request really comes from Computop Paygate. Otherwise an attacker can initialise a transaction and then falsify this notification. A shop operator will not manually check whether a corresponding transaction was performed in each case. Therefore, the module must do this automatically.
Currently, the notification request is only encrypted. However, this encryption does not guarantee the authenticity of a message. It only guarantees that a message cannot be listened in on. Therefore, this safety measure is insufficient.
As a result, the response parameter MAC is used, which is formed via the same algorithm as the MAC in request. Only the data parameters differ.
The following data pattern applies here for hash generation: PayID*TransID*MerchantID*Status*Code
The MAC parameter is only returned to the URLSuccess or URLFailure and for URLNotify.
Your integration must check whether the response received is authentic.
The following table describes how you can generate the Hash values to validate Computop Paygate response that you received:
Step | Task | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Please log on to Computop Helpdesk, which supplies you with the Hash password. | ||||||||||||||||||||||||||||||
2 | The HMAC value is calculated with the aid of the password and several parameter values. For the calculation, the parameters PayID, TransID, MerchantID, Status and Code are used and separated with asterisks:
| ||||||||||||||||||||||||||||||
3 | Use the HMAC SHA-256 algorithm, which nearly all programming languages support, in order to calculate the Hash value with the password and the parameter values. | ||||||||||||||||||||||||||||||
4 | Verify
to ensure that the message you have received is authentic. |
Check your implementation
You can find an easy application to check the implementation of your MAC calculation here: https://computop.com/paygate-test
The application also allows to play with our Paygate API - just use your MerchantID and Blowfish-Password that you already have received.
Important: Your system has to ensure that a notification request has really be sent by Computop Paygate. Therefore the received values for PayID, TransID, MerchantID, Status and Code have to be hashed using your HMAC-password and this HMAC-value must be identical with MAC-value from request. If these values do not match the request must not be processed.
Important: To calculate HMAC-value please use the value of parameter MID which has be sent by Computop Paygate.
Important: Password (like HMAC-password) must never be sent via email, because email is not a secure way of data transmission. If passwords are sent or forwarded via email new passwords need to be established at the expense of the merchant or will be changed with next release of MerchantID-changes. Computop Computop expressly points out the risk of further use of such compromised MIDs. If a merchant continues to use such a compromised MID, he himself bears the liability risk for possible losses caused by the compromised passwords.