Security
Advice SHA-512 ( or as high as possible)
Specify according to your situation. The length of the SHA Digest (SHA-sign) is:
40 characters for SHA-1,
64 characters for SHA-256
128 characters for SHA-512.
TIP: For PHP use <?php print_r(hash_algos()); ?> to check if your server supports SHA-512
IMPORTANT 1: in the past only a few parameters + SHA-password could be used. Since May 2010 Ogone announced to stop supporting the old method.
Hints:
* SHA-password (pass phrase) should be at least 16 characters long
* Use all parameters, put them in alphabetical order and use CAPITALS.
* Empty values should be left out.
* Behind every value you have to repeat the SHA-password (pass phrase), and one SHA- password at the end of the complete string to hash.
Example (pass phrase = “Mysecretsig1875!?”)
AMOUNT=1500Mysecretsig1875!?CURRENCY=EURMysecretsig1875!?OPERATION=RESMysecretsig1875!? ORDERID= 1234Mysecretsig1875!?PSPID=MyPSPIDMysecretsig1875!?
Resulting in SHA-1 Digest: 1D01A7E390F0FDA1A8D4B88DAF243686F1CA91E8
Check your SHAsign calculations at:https://secure.ogone.com/ncol/test/testsha_utf8.asp
IMPORTANT 2:
All parameters that you send (and that appear in the list in Appendix: List of Parameters to be included in SHA IN Calculation), will be included in the string to be hashed.
All parameter names should be in CAPITALS (to avoid any confusion). All parameters need to be arranged alphabetically. Note that some sorting algorithms place special characters in front of the first letter of the alphabet, while others place them at the end. If there is any doubt, please respect the order as displayed in the SHA list. Parameters that do not have a value should NOT be included in the string to hash.
Advice UTF8
If you use diacritic (for example á,ü,é) on your website (the input field customer name for instance) than you need to use the UTF-8 encoding setting.
HINTS
* When using the dynamic template, please ensure you declare the UTF-8 character set in the html header.
Enable JavaScript check on template:
Advice ‘NO’
If you use javascripts on your template, select NO (Ogone doesn’t check on javascripts)
If you don’t use javascript, select yes (Ogone checks on javascript, and if found, then Ogone will use the Ogone default payment page).
Allow usage of static template:
Advice ‘ YES‘
With parameters you can define many aspects like background color or button color (etc), see the table below
Allow usage of dynamic template:
Advice ‘ YES‘
The dynamic template page can be designed with your own look & feel. The only requirement is that it must contain the string $$$PAYMENT ZONE$$$ indicating the location where the Ogone e-Commerce module can add its fields dynamically.
If you use the option “NO”, Ogone will not use the TP value but the Ogone default template instead.
Trusted dynamic template URL:
Ogone checks if the used template (TP=) matches with the one configured In the Ogone account. If not the Ogone default template page will be used.
Fill in the whole url (including the name of your page) of your template.
Advice:To stay flexible, when using multiple template pages, we recommend to leave this field empty and use the hostname check instead.
Trusted website hostname hosting the dynamic template:
Ogone checks, if the used hostname matches with the one configured In the Ogone account. If not the Ogone default template page will be used.
Fill in the website hostname. If needed you can use multiple hostnames, separated with the ;
HINTS about the template:
- Use the parameter TP with each transaction you send to Ogone
- Use $$$PAYMENT ZONE$$$ to start the Ogone module in your template
- Host the template on a unprotected server (HTTP), otherwise you may get a certificate conflict.
- If you use pictures in your template, host these pictures on a secure server (HTTPS)
For CSS files you have two options
- Separate CSS file hosted on your secure server (HTTPS), Use a full static URL.
- Or use CSS inline (in the HEAD of your template page itself), Browser dependant, the layout can be different.
