Each Terminal ID (TERMID) has an associated password which must be supplied with each transaction to provide basic security against counterfeit transactions. This password is never sent to a customer’s browser so will only be stored on your server.
Enhanced security is available by using the KEY field instead of the PASS field. This method uses a cryptographically secure hash to ensure the message is unaltered and that both sides know the PASS without including it in any messages.
A KEY field can be added to any request message in this document.
To sign a request message the KEY field is created by starting with the full message string (without PASS) and generating a SHA256 hash of it using PASS as the key. Then append &KEY=<your 64 hex character hash here> to the end of the string and send it.
PASS as the key, compare the resulting hash to the KEY field in the incoming message.Example: Enhanced security using KEY
Request:
TERMID=TESTMERC&CARD=5123456789012345&EXP=0407&AMT=4350&REF=43&TYPE=S&KEY=0931832b28521dc17dabf0d28bd7cbae77bb670d8c1e40181c7a67a97a3c1bb0Response:
TEXT=T7580843.50&CODE=0000&AUTH=T75808&TOKEN=4003IFNTCCP16781&HASH=AFD6B61A6955A3B11B2ACEB4193EA981&DATE=2016‑03‑28&TIME=17:58:08&DUR=0.146&KEY=32437e1ab573f50a2d465510f8351eb4c105815e6c303b13d4b8de5bd7d51ac6This method is not available when using JSON or XML to send messages.