集成支付网关时如何避免金额篡改? [英] How to avoid amount tampering while integrating payment gateways?

问题描述

我正在 php 中集成支付网关.网关提供商告诉我它包含高风险漏洞(即金额篡改).我不是支付网关集成方面的专家.如何防止金额篡改?

解决方案

您可以采取以下措施来防止金额篡改.

1. 校验和或哈希摘要.如果支付网关实现了这一点.这只是意味着生成要发送到支付网关的有效负载的哈希值并随其发送哈希值.网关还将生成散列并与发送给它的散列进行比较.如果匹配，则有效载荷未被篡改，否则，它已被篡改，支付网关将放弃交易.询问您的支付网关.这是最推荐的方法
2. 在将付款发送到支付网关进行处理之前，请在您的数据库中记录交易详细信息.必须记录金额、交易参考和货币.收到支付网关的响应后，使用您的交易参考调用支付网关交易查询端点以直接从支付网关确认交易，然后使用您从支付中获得的交易金额、交易参考和货币验证您的记录网关.如果有任何差异，请记录交易以解决争议，否则使用返回的交易状态更新您的交易记录.
3. 2 仅在支付网关具有交易查询端点时才有效.如果您的支付网关没有交易查询端点，当您收到交易响应时，只需使用您从支付网关获得的信息验证您记录的交易金额、交易参考和货币.如果有任何差异，请记录交易以解决争议，否则使用返回的交易状态更新您的交易记录.(我建议不要使用没有端点的支付网关来查询您的交易)

<块引用>

如果可以，我建议同时使用 1 和 2.

I am integrating payment gateway in php. The gateway providers told me that it contains high-risk vulnerability (i.e. Amount Tampering) . I am not an expert in payment gateway integration. How can I prevent Amount Tampering?

解决方案

Here are some things you can do to prevent amount tampering.

1. Checksum or Hash Digest. If the payment gateway has this implemented. This simply means generating a hash of the payload you want to send to the payment gateway and sending the hash with it. The gateway will also generate the hash and compare with the hash sent to it. If it matches, the payload has not been tampered with else, it has been tampered with and the payment gateway will drop the transaction. Ask your payment gateway for this. It is the most recommended method
2. Before sending a payment to the payment gateway for processing, log the transaction details on your database. The amount, transaction reference and currency must be logged. Once you get a response from the payment gateway, call the payment gateway transaction query endpoint with your transaction reference to confirm the transaction directly from the payment gateway, then verify your logged transaction amount, transaction reference and currency with the one you got from the payment gateway. If there is any discrepancy, log the transaction for dispute resolution else update your transaction record with the returned transaction status.
3. 2 only works if the payment gateway has a transaction query endpoint. If your payment gateway doesn't have a transaction query endpoint, when you get a transaction response, just verify your logged transaction amount, transaction reference and currency with the one you got from the payment gateway. If there is any discrepancy, log the transaction for dispute resolution else update your transaction record with the returned transaction status. (I will advise not to use a payment gateway that doesn't have an endpoint to query your transactions though)

I recommend using 1 and 2 together if you can.

这篇关于集成支付网关时如何避免金额篡改?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！