Upon successful payment, the Paymer Merchant will notify the merchant system of the payment
by sending the payment notification details (via the Payment Notification Form) to the Result URL.
We recommend that, upon receipt of a Payment Notification Form, the merchant system performs the following:
Verify whether the payment notification was in fact sent by the Paymer Merchant (verify the payment notification source);
Verify the integrity of the payment notification details (verify that no data tampering took place);
Verify the amount received;
Verify that the PAYEE account number is the same as the merchant account number;
Verify the payment mode (whether the payment relates to a real or a simulated payment)
As mentioned before, the Secret Key property should only be known
by the merchant and the Paymer Merchant service. Because of this, the Secret Key enables
the authentication of the payment notification source to the merchant system. The merchant can authenticate the source
in one of several ways, depending on whether the Result URL is secure or not:
The merchant has the following options:
If the merchant does not wish to perform a hash check (that must include the Secret Key)
in order to verify the payment notification source, the merchant can set the Send Secret Key to Result URL Flag,
and then the Paymer Merchant will send the Secret Key directly to the merchant’s website (in the PM_PAYSECRET_KEY
field on the Payment Notification Form). The merchant system has then to compare its own copy of the Secret Key with the one sent
by the Paymer Merchant each time it receives the payment notification.
The merchant can perform a hash check.
The hash must include the Secret Key property and it is sent in the PM_PAYHASH field.
In order to verify the payment notification source, the merchant system will, by generating the hash and comparing
it to the hash sent by the Paymer Merchant, verify the payment notification source. This method is a bit more laborious
but in this case the Secret Key will not be transmitted via the Internet.
The possibility to send the key via https is provided to simplify the work of the merchant system; in this case no MD5 verification algorithms need to be used and the use of the Secret Key property prevents the notification from being tampered.
When sending payment notification details to the merchant system, the Paymer Merchant Service will send both the payment notification details and a hash of the payment notification details allowing the merchant to authenticate the integrity in one of several ways, depending on whether the Result URL is secure or not:
Result URL is Secure, and Result URL is not overridden
If the Result URL is secure, and if the Result URL is not overridden, then the merchant does not need to perform a hash of the payment notification details, as the underlying SSL protocol will ensure the integrity of the payment notification details.
Result URL is not Secure, or Result URL is overridden
In this case Paymer Merchant recommends that the merchant system performs a hash of
the payment notification details upon receipt.