Validation of Payment Information

Upon successful payment, the WebMoney.eu Merchant will notify the merchant system of the payment by sending the payment notification details (via the Payment Notification Form) to the Result URL.
We recommend that, upon receipt of a Payment Notification Form, the merchant system performs the following:

  1. Verify whether the payment notification was in fact sent by the WebMoney.eu Merchant (verify the payment notification source);
  2. Verify the integrity of the payment notification details (verify that no data tampering took place);
  3. Verify the amount received;
  4. Verify the payment mode (whether the payment relates to a real or a simulated payment)

 

Payment Notification Source Verification

As mentioned before, the Secret Key property should only be known by the merchant and the WebMoney.eu Merchant service. Because of this, the Secret Key enables the authentication of the payment notification source to the merchant system. The merchant can authenticate the source in one of several ways, depending on whether the Result URL is secure or not:

The merchant has the following options:

  1. If the merchant does not wish to perform a hash check (that must include the Secret Key) in order to verify the payment notification source, the merchant can set the Send Secret Key to Result URL Flag, and then the WebMoney.eu Merchant will send the Secret Key directly to the merchant’s website (in the PM_PAYSECRET_KEY field on the Payment Notification Form). The merchant system has then to compare its own copy of the Secret Key with the one sent by the WebMoney.eu Merchant each time it receives the payment notification.
  2. The merchant can perform a hash check. The hash must include the Secret Key property and it is sent in the PM_PAYHASH field. In order to verify the payment notification source, the merchant system will, by generating the hash and comparing it to the hash sent by the WebMoney.eu Merchant, verify the payment notification source. This method is a bit more laborious but in this case the Secret Key will not be transmitted via the Internet.

The possibility to send the key via https is provided to simplify the work of the merchant system; in this case no SHA256 verification algorithms need to be used and the use of the Secret Key property prevents the notification from being tampered.

 

Payment Notification Details Integrity Verification

When sending payment notification details to the merchant system, the WebMoney.eu Merchant Service will send both the payment notification details and a hash of the payment notification details allowing the merchant to authenticate the integrity in one of several ways, depending on whether the Result URL is secure or not:

  • Result URL is Secure, and Result URL is not overridden
    If the Result URL is secure, and if the Result URL is not overridden, then the merchant does not need to perform a hash of the payment notification details, as the underlying SSL protocol will ensure the integrity of the payment notification details.
  • Result URL is not Secure, or Result URL is overridden
    In this case WebMoney.eu Merchant recommends that the merchant system performs a hash of the payment notification details upon receipt.

The merchant must verify the integrity of data received on pages: Success, Result and Fail in order to verify that no data tampering took place. To verify the integrity of data, the merchant must compare the data from the request with the real data that can be received from the web service https://www.webmoney.eu/merchant/Services/PaymentService.asmx or https://www.webmoney.eu/merchant/Services/PaymentService.svc

 

Verification of Amount Received

Notwithstanding the fact that customers cannot modify the payment amount, it is important that the merchant verifies the amount sent via the PM_PAYMENT_AMOUNT field.

 

Test/Live Mode Verification

The WebMoney.eu Merchant system enables merchants to test the integration of WebMoney.eu Merchant with the merchant system without effecting real payments. The mode of payment processing is based on the value of the Test/Live Flag property set by the merchant. The information about the mode used by the merchant is submitted in the PM_PAYTEST_MODE field.
If the mode is set to test, payments will be simulated and payment details will be fabricated by the WebMoney.eu Merchant system.

Copyright © 2008 WebMoney.eu

For all question feel free to ask info@webmoney.eu