Determine what gets hashed #2
Comments
|
Propbably, for now, just assume the POST to the gateway payment page will be automated, so nothing should be changed by a user. Any user-entered changes happen before getting to the auto-post. |
|
We are hashing everything generated by the gateway. The merchant site can add further fields outside of the driver, so long as those fields only optionally appear in the fingerprint. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems that the merchant site chooses what fields are included in the data hash when POSTing to the remote payment page. There could be instances where everything has to remain unchanged, so all fields are hashed. There could also be times where some details (e.g. billing address) are left open so they can be edited before going to the offsite payment form. I could even imagine the amount being left unhashed if an arbitrary donation is being paid.
So, how do we indicate what gets hased and what is not hashed? Group fields perhaps - addresses, names, amount - and have flags for ewach of these? Assume everything is hashed unless a hash is disabled for fields or groups? Any other approach?
The text was updated successfully, but these errors were encountered: