Hash HMAC-Authentication in Notify

The shop must verify that a notification request really comes from Pay-Jet Cockpit. Otherwise an attacker can initialise a transaction and then falsify this notification. A shop operator will not manually check whether a corresponding transaction was performed in each case. Therefore, the module must do this automatically.

Currently, the notification request is only encrypted. However, this encryption does not guarantee the authenticity of a message. It only guarantees that a message cannot be listened in on. Therefore, this safety measure is insufficient.

As a result, the response parameter MAC is used, which is formed via the same algorithm as the MAC in request. Only the data parameters differ.

The following data pattern applies here for hash generation: PayID*TransID*MerchantID*Status*Code

The MAC parameter is only returned to the URLSuccess or URLFailure and for URLNotify.

Your integration must check whether the response received is authentic. 

The following table describes how you can generate the Hash values to validate Pay-Jet Cockpit response that you received:

Step

Task

1

Please log on to Pay-Jet Support, which supplies you with the Hash password.

2

The HMAC value is calculated with the aid of the password and several parameter values. For the calculation, the parameters PayID, TransID, MerchantID, Status and Code are used and separated with asterisks:

PayID*TransID*MerchantID*Status*Code 

KeyValueComments
PayIDReferenced PayID
PayID returned by Pay-Jet Cockpit
TransIDYour transactionId to reference / identify your requestYour own reference to identify each request / payment process.
MerchantIDYour MerchantID assigned to you by Pay-JetYour MerchantID identifiying this request.
StatusStatus in responseStatus of response, e.g. AUTHORIZED, FAILED, OK, ...
CodeCode in responseCode of response, e.g. 00000000, 22720040, ...
YourHmacPasswortYour HMAC-password assigned to you by Pay-JetYour HMAC-password assigned to a specific MID; if you have different MIDs you will have different HMAC passwords, too.


Samples for MAC calculationFormulaResult
Authorized paymentHmacSHA256("7bbb448155234d8cbee323778952ce28*TID-12033175321270170232*yourMerchantId*AUTHORIZED*00000000", "mySecret")4CDCB4DE587AC210F21DE0591689B920CF56D89B38D4C7B1B7F8867BFC93E02C
Failed paymentHmacSHA256("7bbb448155234d8cbee323778952ce28*TID-12033175321270170232*yourMerchantId*FAILED*22720040", "mySecret")

0061D6AD2951C46A5507C3CA6B6236A32FD14ABA285722E87AF2A329FBDEFACD

3

Use the HMAC SHA-256 algorithm, which nearly all programming languages support, in order to calculate the Hash value with the password and the parameter values.

4

Verify

  • the MAC-value from Pay-Jet Cockpit response that you received
  • with the MAC value that you calculated yourself

to ensure that the message you have received is authentic.

 The MAC parameter is only returned to the URLSuccess or URLFailure and for Notifys.

Important: Passwords may never be send via email, because in this case immediately the security of encrypted Requests/Responses is no longer assured. If accidentally passwords were sent via email, new passwords must be deposited at the merchant's expense with a single process or during next standard release. Pay-Jet explicitly point on the risk of further using such compromised MIDs. If a merchant nevertheless continues such a compromised MID, he bears the liability risk for possible losses due to the compromised passwords on his own.

  • No labels