DIBS offers MD5-key control in order to secure that the data sent between your system and DIBS system has not been tampered with, either due to communication errors, hacking or interfering malware. The control works for both the request from your system to DIBS and for the response from DIBS back to your system. As default the MD5-key control is optional, but can be made mandatory by activating the functionality in the DIBS Administration.
You can find your md5 key pair in DIBS Admin in the following menu:
Request to the DIBS server
Several payment functions utilize MD5-key control, and before calling these functions an MD5-key can be calculated by the shop based on critical parameters in the request as well as a set of private keys found in the DIBS Administration. The specific parameters that should be used in the calculation differs based on the function used. When DIBS receives a request with an MD5-key, a corresponding calculation is done internally, and if the calculated key matches the received key the request is approved, otherwise denied.
- The shop calculates the md5key.
- The md5key is sent to DIBS along with the other variables.
- DIBS makes the same calculation and compares the keys.
- If they are identical, the request is accepted, otherwise it is rejected.
Due to the orderid being an essential parameter of the MD5-calculation, the orderid must always be unique when using MD5-keys.
Below is an overview of the algorithms that should be used when calculating the MD5-key for the different API functions. In the algorithms, k1 and k2 denotes the shop-specific secret keys found in the DIBS Administration and parameters marked with <> denotes the parameter values for the specific request.
For 3dsecure.cgi and auth.cgi:
md5key = MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>¤cy=<currency>&amount=<amount>"))
md5key = MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>&transact=<transact>"))
For capture.cgi, refund.cgi and suppl_auth.cgi:
md5key = MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>&transact=<transact>&amount=<amount>"))
md5key = MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>&ticket=<ticket>¤cy=<currency>&amount=<amount>"))
Response from the DIBS server
A successfull ticket registration or authorization will result in DIBS returning an MD5-key in the 'authkey' parameter. The calculation is done in one of two ways depending on which kind of transaction it is.
- When responding to an authorization or ticket registration, DIBS calculates the value of authkey.
- When the shop receives the response, it performs the same calculation.
- If the keys do not match, the transaction should be rejected.
Apart from authkey verification, it should be checked that the amount and currency matches the original order made using the order ID.
Please note that the when specifying the currency, it must be in the numeric format. See the ISO4217 standard for more information.
For a normal approved authorization, the authkey is calculated as the following:
authkey = MD5(k2 + MD5(k1 + transact=<transact>&amount=<amount>¤cy=<currency>))
For a successful ticket registration, the authkey is calculated as the following:
authkey = MD5(k2 + MD5(k1 + transact=<transact>&preauth=true¤cy=<currency>))
Again, k1 and k2 denotes the shop-specific secret keys found in the DIBS Administration and parameters marked with <> denotes the parameter values found in the response.
- The keys are calculated using the MD5 algorithm (RSA Data Security Inc.). MD5 is a standard function which is implemented in most scripting and programming languages, such as PHP, Perl, C/C++, ASP and Java.
- When using the payment window and the calcfee functionality, the amount value must be set to the sum of the base amount and the fee.
- When using the "split" parameter from FlexWin, "transact" is replaced by "transact1", "transact2", "transact3", and so forth, one transaction per amount.