-1

I got a very weird issue that the opayo (SagePay) seems to generate VPSSignature with a UPPERCASE vendorName in a server intergration setup, so that when I do a MD5 hash against it with a lowercase VendorName, it always fail. And I find the signature is matching if I uppercase the VendorName first, which seems to contradict what the official guide is mentioning.

However, it only happen in one of the specific production envionments I am investigating at and only seems to happen in recent months. Besides, I am unable to reproduce such a behavior with the TEST mode Opayo in other environments I have. Does Opayo do special handling on specific environment and/or MySagePay account?

I have read this thread too but to no avail. SagePay Server Integration Verify Signature . However, my environment is a rather legacy environment and still uses protocol version 2.23. I am not sure if this old protocol version might lead to any related issues?

terence ng
  • 55
  • 3
  • 1
    Sounds more like a documentation issue if I'm honest - they're not that great! You're going to need to move towards v4 by September else you won't be able to support 3DSv2 – PeteAUK Jun 18 '21 at 08:59

1 Answers1

0

I consider my solution merely as a workaround, but it works for my situation. My workaround currently is to support matching VPSSignature generated with BOTH uppercase and lowercase VendorName, so either matching one of the signatures will be a pass for the system. Since Sagepay already accepted the payment anyways, this workaround works. (though seems not a very proper one and might have security implication, but supporting one more signature seem still alright.)

terence ng
  • 55
  • 3