Resulturl Security


#1

Hello,

New to Paynow SDK and integration

What is the security behind the “resulturl”? is it possible to have the paynow IP for whitelisting on our gateway.


#2

I will outline the flow of a payment then I will talk about the security at each step

1)Initiate a payment
-Your request requires a hash field that is generated by your integration key (that only you have and can acccess)
-At this point you include the result_url. This is where Payno will POST the payment result after it has been completed
-If the hash in the request received by Paynow matches what is expected the server responds with a “200” status

2)Payment POST
Normally within 30seconds of the payment request Paynow sends a POST to the provided result_url. Part of that post is a hash field generated using the integration key.
Using your own copy of the integration key , you can go through the process of generating a hash to verify that the information sent is valid

In summary the security lies in only two people being able to generate a hash using a secret integration key. Any change to the information in transit will result in an “invalid Hash” error