Hi,
I'm using the NAB Transact (Hosted Payment Page) Payment Module. It works fine, but unfortunately NAB have updated its features to include a Fingerprint field. I'm not a PHP programmer and I'm a one-man operation so I don't have an IT department.
I've downloaded the application guide and part of the relevant section is shown below, to give you an idea of what's required. It's unlikely that I'm going to be able to make sense of this and I need to get it right first time because once NAB enable the change in the systems for my account any errors are going to lock me out of any payments until I can fix it.
Is there anyone that can write out the relevant changes needed for this module or can someone point me to someone that can do it for me.?
eg. from the NAB transact integration guide:
2.3.12 Fingerprint
Request and response of NAB Transact Hosted Payment Page will include a fingerprint to protect important details exchanged
between merchant and the page.
Use the merchant account below to test fingerprint enabled HPP.
MerchantID: XYZ0110
Transaction Password: abcd1234
2.3.12.1 Fingerprint in request
The fingerprint is a protected record of the important details of requests coming to the NAB Transact Hosted Payments Page.
It must be generated and then included as an input field to the HTML form. It prevents a customer modifying the transaction
details when submitting their card information.
The Fingerprint is a HMAC-SHA256 hash of the following fields, plus the Merchant Transaction Password, in the same order with
a pipe separator “|”:
vendor_name
payment_reference
payment_alert
unit_names, which is a list of coma-separated product names in alphabetical order.
unit_prices, which is a list of unit prices in corresponding order with the product names above.
Merchant transaction password
If any field doesn’t have a value, an empty string will be used instead.
Merchant Transaction Password is used as the secret key when generating the fingerprint.
Computed values for unit_names and unit_prices are used to generate fingerprint and should not be submitted along with the
form.
Example:
vendor_name: XYZ0110
payment_reference:Invoice#64219
payment_alert: HYPERLINK “mailto:[email protected]” [email protected]
Product: “ZZZZ”, quantity: “1”, unit price: “2.00”
Product: “Red Socks”, quantity: “1”, unit price: “10.95”
Product: “Baseball Cap”, quantity: “3”, unit price: “11.50”
Example: Calculate unit_names and unit_prices for fingerprinting
Alphabetically sorted product names
unit_names = “Baseball Cap,Red Socks,ZZZZ”
and unit prices
unit_prices = “11.50,10.95,2.00”
Example: Fingerprint text: XYZ0110| HYPERLINK “mailto:Invoice#64219|[email protected]|Baseball”
Invoice#64219|[email protected]|Baseball Cap,Red Socks,ZZZZ|11.50,10.95,2.00|abcd1234
HMAC-SHA256 Fingerprint: de5cdceef8c129e134e2da358759da8e073b7be94f8e40790ab9f8c3e094bf1e
Example: A fingerprint as a hidden input field
<input type=”hidden” name=”fingerprint” value=”de5cdceef8c129e134e2da358759da8e073b7be94f8e40790ab9f8c3e094bf
1e”>
2.3.12.2 Fingerprint in response
The fingerprint is a HMAC-SHA256 hash of the following fields, plus the Merchant Transaction Password, in the same order with a
pipe separator “|”:
bank_reference (bank authorization code)
payment_reference (the payment reference provided in the request)
payment_amount (invoice total)
payment_number incremental invoice number)
payment_date (returned as UNIX timestamp)
Merchant transaction password
If any field doesn’t have a value, an empty string will be used instead.
If return_link_url and/or reply_link_url is required refer to 2.3.13.1 for format specifications
2.3.13 Updating your System after a Transaction is Approved
Two methods exist to remotely update your system following an approved transaction: return_link_url and reply_link_url.
• The return_link_url is the visible clickable hyperlink on the top and bottom of the transaction receipt screen that the
customer sees in the event of an approved transaction. The customer must click on the URL for the remote service to
receive data.
• The reply_link_url is a server-side request from the NAB Transact payment server to a web service within the client’s web
site or hosting environment. It is triggered automatically at the time the receipt page is displayed to the customer.
Both the return_link_url and reply_link_url are formatted in the same way.
2.3.13.1 Formatting the return_link_url and reply_link_url
Any information or hidden field variables passed to NAB Transact from the payment form are available to be returned via these
methods. You may also include additional variables that might be useful to you in processing the returned data.
Value of ‘return_link_url’ and ‘reply_link_url’ parameters in request should have place holders for the below parameters so that
the fingerprint in response can be verified by merchant.
• bank_reference
• payment_reference
• payment_amount
• payment_number
• payment_date
• fingerprint
Hard-coded variables like a sessionid as well as dynamically-populated fields like address can be included.
Example 1: Returning information for fingerprint enabled integration
<input type=”hidden” name=”reply_link_url” value= HYPERLINK “\”http:/www.myserver.com.au/result.asp?sessionid=1234
5&Address=&bank_reference=&payment_reference=&payment_amount=&payment_number=& pa yment_
date=&fingerprint=\”””http://www.myserver.com.au/result.as...ence=&payment_
reference=&payment_amount=&payment_number=&payment_date=&fingerprint=”>
If the inputs are
-Address as “2 Main Street”
-payment_reference as “Invoice#64219”
http://www.myserver.com.au/result.as...233&payment_re
ference=Invoice%2364219&payment_amount=25.15&payment_number=66123&payment_date=1 617223376&fingerprint=8
b5192adadec983ec0933ed32b3641b3365d455416c37e5c410a4938a55dca53
NAB Transact – Hosted Page Intergration Guide | 17
Bookmarks