Security
In order to ensure that Buckaroo can verify the sender of the transaction and make sure that no alterations were made to the message during transport, Buckaroo uses a digital signature for each transaction. This signature consists of a hash of all fields from the message, with the addition of a secret key. The secret key can be set in the Payment Plaza under Profile -> Security.
All Buckaroo websites are secured with a HTTPS certificate. Below you’ll find an explanation on how to deal with the transfer from the Merchant’s website to Buckaroo and visa versa.
Logging in to the online environment can be protected by two-factor authentication. Below you will find more information.
Calculation of the digital signature
The calculation of the signature works as follows:
List all fields in the payment request starting with brq_, add_ or cust_, except brq_signature, in the following format:
brq_fieldname=value
Order these fields alphabetically based on the field name (brq_amount precedes brq_websitekey). Important: the ordering should not be case-sensitive (brq_active precedes BRQ_AMOUNT). Capital letters in field names should be preserved.
Add all these values together, formatted as stated in step 1, in a string. Do not use any separators or blank spaces.
Here you can add the pre-shared secret key to the end of this string.
For example: BRQ_AMOUNT=1.00brq_currency=EURbrq_websitekey=asdfasdfsecretkeyCalculate a hash from this string with the selected (SHA) algorithm. Return the hash in hexadecimal format.
For the return and the push, the data have to be fully decoded before the signature can be calculated.
Instruction: The use of the selected (SHA) encryption algorithm differs per development platform. Most languages (such as PHP and ASP.NET) have default implementations of the selected SHA algorithm. For other languages, such as classis ASP, implementations for the selected SHA algorithm can be found on the internet.
Security alert HTTPS
Explanation
The Buckaroo payment environment is entirely equipped with SSL certificates. This is visible through the “padlock” that is shown on the webpages and the URL beginning with HTTPS instead of HTTP. Buckaroo recommends to implement both the online store checkout and the redirect page in a HTTPS secured environment. This way, the data is illegible in case it gets intercepted on the internet.
Warning
When the customer returns to the Merchant’s online store after having made a payment, a warning might be displayed. Customers are then warned that they’re leaving the safety of the Buckaroo environment and are redirected to the online store’s unprotected Thank You page.
Measure
In order to avoid an error message, it is important to protect the Thank You page with a SSL certificate. So you’ll have to change the Thank You page from http://return.merchantnaam.nl to https://return.merchantnaam.nl.
In order to verify whether the return URL is working properly, it can be extracted from the message to Buckaroo and placed in a browser. If the URL doesn’t work, it needs to be checked whether this page actually starts with HTTPS. An unprotected Thank You page can cause problems, particularly with regard to the Safari browser on the iPad and iPhone platform. The option to proceed is not always available. This results in incomplete payments and thus conversion loss.