Accepting payments using Eway

I intend to use eWay as payment gateway but encounter problem after problem in implementing it.

As I don't want to touch credit card details at any point, not storing nor transfering via my site due to PCI requirements, I need to redirect users to page hosted by gateway. Users provide all the details there and gateway returns result confirmation to the page I specified, lets call it payment_done.php.

Now, in payment_done.php I dont know for sure if the confirmation came back from payment gateway itself or someone just POSTed it to my page and its a fake. So my page might receive confirmation, but payment might not be done at all.

Now in payment_done.php I need to ask eway then if this confirmation I received (with some specific transaction ID) came from them and if so the amount is right etc. Eway will return true/false back to me and then I can be sure payments been done for the right amount.

Now problem is that eway seems to allow to query for this confirmation only 100 times a day.

I seem to run out of ideas now and desperately seeking help. What options do I have left? It seems unbelievable that there is no way to make it work without falling into PCI compliance issues, even using payment gateway hosted page. Thanks in advance for any help.

The answer is twofold.

You verify that the post came from an eway server if the request came from anywhere else, you don't allow the request. This is your main form of security.

In case somebody at eway wants to hack your site, implement this:

Before sending the user for payment, create a long hash. You can use a session variable to hold this.

Pass the hash using the eWAYoption1 parameter.

When eway posts back an answer, check the eWAYoption1 value to verify it matches the current users payment hash.

You must delete the session variable as soon as you have validated it. Even if the hash is wrong, invalidate the session variable and make them start over.

Between the hash, and verifying the posting IP address, you should be pretty safe.

What would be best way to make sure response comes from eWay then? Not sure if it is gateway specific and every gateway has different way of identyfying itself, or usually IP is checked or some other common method to do that? btw thx for such a quick answer!

spirytus 2010-07-27 21:22:10

On the eway website there should be a list of the payment servers IP addresses. You probably have to login to find them. When you receive the payment confirmation you make sure the IP matches one from the list. This IP cannot be spoofed. In php use `$_SERVER['REMOTE_ADDR'];`. You can also do a reverse look-up to verify the IP comes from the eway domain as additional check. If you can't find the IP's on the website, call support.

Byron Whitlock 2010-07-27 21:32:55

That would be great idea but apparently their payment servers IP's might be changing so this is not very reliable in my case.

spirytus 2010-07-28 23:24:17

They shouldn't change very often. I deal with no fewer than 8 gateways at my job, and they have never changed in 2 years. Store the IP's in a config file or the database because that is really the only way you can be sure the request is coming from the correct place.

Byron Whitlock 2010-07-28 23:48:51

ansaurus

tags:

views:

answers:

Accepting payments using Eway

related questions