- Created by PAYONE Admin, last modified on 2021-10-07
To prevent changes to the request to PAYONE, we need to incorporate a checksum of the used parameters to the PAYONE platform. For this, we use the parameter hash.
The hash value is calculated from the request parameters and a secret key using the hash function hash("md5" , $data) or hash("sha384", $data). Any parameter values to be protected are concatenated in alphabetical order. Finally, the key will be attached to the string and the hash value is calculated.
Parameters are sorted alphabetically by their name. It does not matter in which order they are used in the request URL. The parameters to be protected can be found in FE - Parameters in the request URL. They have been identified with a "+" in the hash column.
Configuring the Preferred Hash Method
You can assign the key to be used in the PMI (PAYONE Merchant Interface). Do not pass this key to third parties in any case. You can also choose the desired hash algorithm in the PMI:
PMI, configuration, payment portals, hash calculation |
|
|---|---|
PMI-Selection | Meaning |
md5 (current method) | PAYONE platform expects hash value as md5 md5 is considered unsafe and should not be used anymore! |
sha2-384 (recommended method) | PAYONE platform expects hash value as sha2-384 |
md5_or_sha2-384 (during migration) | PAYONE platform accepts both hash calculations (md5 and sha2-384) |
The PAYONE Platform expects the hash value in small letters.
Please pay attention that for "sha2-384" the portal key is not part of parameters for hash-function, but a separate parameter passed to hash-function "hash_hmac".
Example
// Important notes:
//
// * Intention of this sample is to show the concept of HASH-calculation
// It’s not a fully valid payment request
//
// * Please add further parameters as needed:
// clearingtype / subtype
// mode (“live” or “test”)
// further as needed - depending on clearingtype, subtype, ...
//
// * Please refer to the table in https://docs.payone.com/x/tIUS and add values to
// HASH-calculation as indicated by column “Hash”
//
$request="authorization"; // Request
$portalid=2000001; // Portal ID
$aid=10002; // Sub Account ID
$key="geheim"; // Key (configurable in the payment portal)
$id[1]="123-345"; // Your item no.
$pr[1]=5900; // Price in Cent
$no[1]=1; // Quantity
$de[1]="Puma Outdoor"; // Item description
$va[1]=19; // VAT (optional)
$amount=round($pr[1]*$no[1]);// Total amount
$currency="EUR"; // Currency
$reference="73464354"; // Merchant reference no.
$customerid="123456"; // Merchant customer ID (option)
// usage of md5-hash
// select “md5” in PMI-portal-settings
// $hash=md5($aid . $amount . $currency . $customerid .
// $de[1] . $id[1] . $no[1] . $portalid . $pr[1] .
// $reference . $request . $va[1] .
// $key); // Parameters in sorted order + key
// usage of sha2-384-hash
// select “sha2-384” in PMI-portal-settings
$hash=hash_hmac(“sha384”, $aid .
$amount .
$currency .
$customerid .
$de[1] .
$id[1] .
$no[1] .
$portalid .
$pr[1] .
$reference .
$request .
$va[1], // !! Parameters in sorted order
$key); // !! $key is an individual parameter !
$url="https://frontend.pay1.de/frontend/v2/?request=" . $request .
"&aid=" . $aid .
"&portalid=" . $portalid .
"&customerid=" . $customerid .
"¤cy=" . $currency .
"&amount=" . $amount .
"&reference=" . $reference .
"&id[1]=" . $id[1] .
"&pr[1]=" . $pr[1] .
"&no[1]=" . $no[1] .
"&de[1]=" . $de[1] .
"&va[1]=" . $va[1] .
"&hash=" . $hash;
- No labels