I am integrating payment gateway in php. The gateway providers told me that it contains high-risk vulnerability (i.e. Amount Tampering) . I am not an expert in payment gateway integration. How can I prevent Amount Tampering?
Asked
Active
Viewed 2,408 times
2
-
Have a look at this https://stackoverflow.com/questions/19729023/paypal-amount-tampering, even if you're not using Paypal, the ideology would be the same. – MCMXCII Jan 08 '18 at 09:36
-
is there any alternate method available? – NightOwl Jan 08 '18 at 10:04
-
This question isn't clear. What does the implementation look like that the amount can be tampered with? What provider are you using? – John Conde Jan 08 '18 at 12:44
-
HDFC Bank Payment – NightOwl Jan 10 '18 at 10:48
1 Answers
3
Here are some things you can do to prevent amount tampering.
- Checksum or Hash Digest. If the payment gateway has this implemented. This simply means generating a hash of the payload you want to send to the payment gateway and sending the hash with it. The gateway will also generate the hash and compare with the hash sent to it. If it matches, the payload has not been tampered with else, it has been tampered with and the payment gateway will drop the transaction. Ask your payment gateway for this. It is the most recommended method
- Before sending a payment to the payment gateway for processing, log the transaction details on your database. The amount, transaction reference and currency must be logged. Once you get a response from the payment gateway, call the payment gateway transaction query endpoint with your transaction reference to confirm the transaction directly from the payment gateway, then verify your logged transaction amount, transaction reference and currency with the one you got from the payment gateway. If there is any discrepancy, log the transaction for dispute resolution else update your transaction record with the returned transaction status.
- 2 only works if the payment gateway has a transaction query endpoint. If your payment gateway doesn't have a transaction query endpoint, when you get a transaction response, just verify your logged transaction amount, transaction reference and currency with the one you got from the payment gateway. If there is any discrepancy, log the transaction for dispute resolution else update your transaction record with the returned transaction status. (I will advise not to use a payment gateway that doesn't have an endpoint to query your transactions though)
I recommend using 1 and 2 together if you can.
Olufemi Israel Olanipekun
- 7,061
- 2
- 14
- 22