Skip to end of metadata
Go to start of metadata

To prevent changes to the request to PAYONE, we need to incorporate a checksum of the used parameters to the PAYONE platform. For this, we use the parameter hash.
The hash value is calculated from the request parameters and a secret key using the hash function hash("md5" , $data) or hash("sha384", $data). Any parameter values to be protected are concatenated in alphabetical order. Finally, the key will be attached to the string and the hash value is calculated.
Parameters are sorted alphabetically by their name. It does not matter in which order they are used in the request URL. The parameters to be protected can be found in FE - Parameters in the request URL. They have been identified with a "+" in the hash column.

Configuring the Preferred Hash Method

You can assign the key to be used in the PMI (PAYONE Merchant Interface). Do not pass this key to third parties in any case. You can also choose the desired hash algorithm in the PMI:

PMI, configuration, payment portals, hash calculation




md5 (current method)

PAYONE platform expects hash value as md5
(md5 is compromised and should be replaced by sha2-384)
for compatibility reason this is currently default.

md5 is considered unsafe and should not be used anymore!

sha2-384 (recommended method)

PAYONE platform expects hash value as sha2-384
(if you want to use sha2-384 hash values this option has to be activated)

md5_or_sha2-384 (during migration)

PAYONE platform accepts both hash calculations (md5 and sha2-384)
(this option should only be use for migration from md5 to sha2-384)

The PAYONE Platform expects the hash value in small letters.

Please pay attention that for "sha2-384" the portal key is not part of parameters for hash-function, but a separate parameter passed to hash-function "hash_hmac".


// Important notes:
// * Intention of this sample is to show the concept of HASH-calculation
//   It’s not a fully valid payment request
// * Please add further parameters as needed:
//     clearingtype / subtype
//     mode (“live” or “test”)
//     further as needed - depending on clearingtype, subtype, ...
// * Please refer to the table in and add values to 
//   HASH-calculation as indicated by column “Hash”
$request="authorization";    // Request
$portalid=2000001;           // Portal ID
$aid=10002;                  // Sub Account ID
$key="geheim";               // Key (configurable in the payment portal)

$id[1]="123-345";            // Your item no.
$pr[1]=5900;                 // Price in Cent
$no[1]=1;                    // Quantity
$de[1]="Puma Outdoor";       // Item description
$va[1]=19;                   // VAT (optional)
$amount=round($pr[1]*$no[1]);// Total amount
$currency="EUR";             // Currency
$reference="73464354";       // Merchant reference no.
$customerid="123456";        // Merchant customer ID (option)

// usage of md5-hash
// select “md5” in PMI-portal-settings
// $hash=md5($aid . $amount . $currency . $customerid .
//        $de[1] . $id[1] . $no[1] . $portalid . $pr[1] .
//        $reference . $request . $va[1] .
//        $key);  // Parameters in sorted order + key

// usage of sha2-384-hash
// select “sha2-384” in PMI-portal-settings
$hash=hash_hmac(“sha384”, $aid . 
          $amount . 
          $currency . 
          $customerid .
          $de[1] . 
          $id[1] . 
          $no[1] . 
          $portalid . 
          $pr[1] .
          $reference . 
          $request . 
          $va[1], // !! Parameters in sorted order
          $key);  // !! $key is an individual parameter !

$url="" . $request .
          "&aid=" . $aid .
          "&portalid=" . $portalid .
          "&customerid=" . $customerid . 
          "&currency=" . $currency . 
          "&amount=" . $amount . 
          "&reference=" . $reference .
          "&id[1]=" . $id[1] .
          "&pr[1]=" . $pr[1] .
          "&no[1]=" . $no[1] .
          "&de[1]=" . $de[1] .
          "&va[1]=" . $va[1] .
          "&hash=" . $hash;

  • No labels