At the end of the SPI's process flow, a cardholder's browser is redirected to the merchant's success page. This redirect will contain the payload used to inform a merchant that payment has (or has not) been successful. Normally, a step like this would be vulnerable to a spoofing attack. Because the payload of the SPI is contained in a URL string, it wouldn't even take a technical mind to make a merchant think he or she has been paid.would be a very real possibility!
The SPI prevents this form of cheating because it requires the merchant to encrypt a portion of the POST sent to ProtectPay®. In turn, the SPI will encrypt the payload contained in the final redirect. The merchant can be certain that the response coming back from ProtectPay® is real and that he or she has actually been paid. It is this encryption that makes a TempToken necessary.
Not all of the data contained in the POST to the
needs to be encrypted. In fact, the information entered into the browser by a cardholder cannot be touched by your systems at all. You should encrypt merchant data such as transaction amount, invoice number, etc. (See full list at the bottom of this page.) You should also encrypt the instructions that you provide to the
SPI. By using a combination of values passed in to the fields
PaymentMethodStorageOption, you can instruct the
to perform a number of different tasks:
Create a string with key-value pairs of the data which cannot be altered by the cardholder. (See the table at the bottom of this page.)
Then encrypt the Key-Value Pair using the following method:
TempTokenstring and generate an MD5 hash of the
The resulting value is called a
SettingsCipher and will be posted to the
SPI, along with the cardholder information, and
CredentialId. When the
server receives your request, it uses the CredentialId to decipher your SettingsCipher, and process your request.
|Query String Parameter||Required||Description|
|PayerId||Y||Id of the payer that is the owner of the credit card.|
|PaymentProcessType||Y||Tells the SPR which mechanism to use for processing a transaction:|
|ProcessMethod||Y||Tells the SPR how to process transaction prior to storage.|
when to store cardholder data. By using this value in conjunction with
|CurrencyCode||N||ISO standard currency code.|
|InvoiceNumber||N||Optional field passed to Gateway.|
where response is sent by the
PMI. If you wish to include a query string as your
|Comment1||N||Optional fields passed to Gateway.|
|Comment2||N||Optional fields passed to Gateway.|
|Data from ProPay, Inc API documentation.|
After you create your SettingsCipher, you will be ready to paint a checkout page for your cardholders to enter their payment information.