In order to ensure that Buckaroo can verify the sender of the transaction and make sure that no alterations were made to the message during transport, Buckaroo uses a digital signature for each transaction. This signature consists of a hash of all fields from the message, with the addition of a secret key. The secret key can be set in the Payment Plaza under Settings -> Security.
All Buckaroo websites are secured with a HTTPS certificate. Below you’ll find an explanation on how to deal with the transfer from the Merchant’s website to Buckaroo and vice versa.
Logging in to the online environment can be protected by two-factor authentication.
Calculation of the digital signature
The calculation of the signature works as follows:
List all fields in the payment request starting with brq_, add_ or cust_, except brq_signature, in the following format:
Sort this list alphabetically using only the fieldname (ie. brq_amount precedes brq_websitekey). Important: the ordering should not be case-sensitive (brq_active precedes BRQ_AMOUNT). Capital letters in field names should be preserved.
Concatenate all the parameters, formatted as specified under 1, into one string. Do not use any separator or whitespace
Add the pre-shared secret key at the end of the string
For example: BRQ_AMOUNT=1.00brq_currency=EURbrq_websitekey=asdfasdfsecretkey
Calculate a hash from this string with the selected (SHA) algorithm. Return the hash in hexadecimal format.
When verifying a received signature, first url-decode all the field values (only if
the programming platform you use doesn’t do this automatically). A signature is always calculated over the non-encoded values (i.e The value “J.+de+Tester” should be decoded to “J. de Tester”). If any issue occurs with encoding and decoding the values, please check the option ‘Enable double encoding on redirect data’ to alter the way the redirect data from the Buckaroo system to your website is encoded
The use of the selected (SHA) encryption algorithm differs per development platform. Most languages (such as PHP and ASP.NET) have default implementations of the selected SHA algorithm. For other languages, such as classis ASP, implementations for the selected SHA algorithm can be found on the internet.
Security alert HTTPS
The Buckaroo payment environment is entirely equipped with SSL certificates. This is visible through the “padlock” that is shown on the webpages and the URL beginning with HTTPS instead of HTTP. Buckaroo recommends to implement both the online store checkout and the redirect page in a HTTPS secured environment. This way, the data is illegible in case it gets intercepted on the internet.
When the customer returns to the Merchant’s online store after having made a payment, a warning might be displayed. Customers are then warned that they’re leaving the safety of the Buckaroo environment and are redirected to the online store’s unprotected Thank You page.
In order to avoid an error message, it is important to protect the Thank You page with a SSL certificate. So you’ll have to change the Thank You page from http://return.merchantnaam.nl to https://return.merchantnaam.nl.
In order to verify whether the return URL is working properly, it can be extracted from the message to Buckaroo and placed in a browser. If the URL doesn’t work, it needs to be checked whether this page actually starts with HTTPS. An unprotected "Thank You"-page can cause problems, particularly with regard to the Safari browser on the iPad and iPhone platform. The option to proceed is not always available. This results in incomplete payments and thus conversion loss.