Paymer Login

Validation of Payment Information

Upon successful payment, the Paymer Merchant will notify the merchant system of the payment by sending the payment notification details (via the Payment Notification Form) to the Result URL.
We recommend that, upon receipt of a Payment Notification Form, the merchant system performs the following:

  1. Verify whether the payment notification was in fact sent by the Paymer Merchant (verify the payment notification source);
  2. Verify the integrity of the payment notification details (verify that no data tampering took place);
  3. Verify the amount received;
  4. Verify that the PAYEE account number is the same as the merchant account number;
  5. Verify the payment mode (whether the payment relates to a real or a simulated payment)

Payment Notification Source Verification

As mentioned before, the Secret Key property should only be known by the merchant and the Paymer Merchant service. Because of this, the Secret Key enables the authentication of the payment notification source to the merchant system. The merchant can authenticate the source in one of several ways, depending on whether the Result URL is secure or not:

The merchant has the following options:

  1. If the merchant does not wish to perform a hash check (that must include the Secret Key) in order to verify the payment notification source, the merchant can set the Send Secret Key to Result URL Flag, and then the Paymer Merchant will send the Secret Key directly to the merchant’s website (in the PM_PAYSECRET_KEY field on the Payment Notification Form). The merchant system has then to compare its own copy of the Secret Key with the one sent by the Paymer Merchant each time it receives the payment notification.
  2. The merchant can perform a hash check. The hash must include the Secret Key property and it is sent in the PM_PAYHASH field. In order to verify the payment notification source, the merchant system will, by generating the hash and comparing it to the hash sent by the Paymer Merchant, verify the payment notification source. This method is a bit more laborious but in this case the Secret Key will not be transmitted via the Internet.

The possibility to send the key via https is provided to simplify the work of the merchant system; in this case no MD5 verification algorithms need to be used and the use of the Secret Key property prevents the notification from being tampered.

Payment Notification Details Integrity Verification

When sending payment notification details to the merchant system, the Paymer Merchant Service will send both the payment notification details and a hash of the payment notification details allowing the merchant to authenticate the integrity in one of several ways, depending on whether the Result URL is secure or not:

  • Result URL is Secure, and Result URL is not overridden
    If the Result URL is secure, and if the Result URL is not overridden, then the merchant does not need to perform a hash of the payment notification details, as the underlying SSL protocol will ensure the integrity of the payment notification details.
  • Result URL is not Secure, or Result URL is overridden
    In this case Paymer Merchant recommends that the merchant system performs a hash of the payment notification details upon receipt.