Scribd
Upload
33 views5 pages

CBA Comweb Letter

This document provides information and guidance to a merchant on an important upcoming security update requiring them to transition from using MD5 algorithms to SHA256 algorithms for online payments by 30 November 2016. It outlines what the change means, the steps needed to be taken, and includes an example of code needed to implement the transition.

Uploaded by

dabaxa9060
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views5 pages

CBA Comweb Letter

This document provides information and guidance to a merchant on an important upcoming security update requiring them to transition from using MD5 algorithms to SHA256 algorithms for online payments by 30 November 2016. It outlines what the change means, the steps needed to be taken, and includes an example of code needed to implement the transition.

Uploaded by

dabaxa9060
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Conmonwealth Bank

Commonwealth Bank of Australia


ABN 48 123 123 124

Merch ant Solutions


GPO Box 2719
Sydney
NSW2001
Australia

031 000326-1220232-01

BUILDMAT P TY LTD 601992527


22A PRINCES HVVY
DOVETON VIC 3177

7 November 2016 /
Dear Valued Customer,

Your merchant ID: 5353109390628931

Rea:nJnder: Important security update on your online merchant


fac1hty
-== On the 1oth of October 2016, we sent you a letter regarding an important security update to your
online merchant facility. We noticed that you may not have implemented this upgrade as yet.
==
= We would like to remind you that on the 30th of November 2016, we will be implementing a
security upgrade to our online merchant payment platform.

What this means

The use of MD5 algorithms will no longer be accepted via your online merchant facility. We have
made this decision to align with industry best practices, so we can maintain appropriate levels of
safety, security, and integrity for you and your customers.

We have identified that you are one of a small number of customers currently using MD5
algorithms and would like to notify you in order to continue processing transactions successfully
you need to make the necessary technical changes and start to use the SHA256 algorithm
standard, by 30th November 2016.

You will need to upgrade from using MD5 algorithms to SHA256 algorithms to avoid interruption
to service after this point.

What you need to do

Provide this letter, including all the content to your IT support team or developer to complete this
transition for you.

In order to support your transition to a secure algorithm, we are providing you with the following
resources:

L3s 1101
Can I test the SHA-256 HMAC once implemented?
Yes, you can use your test merchant ID to test this new integration. If you do not know your test
merchant ID, our support team can provide you with this information. You may contact contact
our support team on 1800 882 888, 9am - 5pm AEDT Monday- Friday

Where do I get Merchant Admin Login support?


For login support, please contact our support team.

I use a shopping cart, what should I do?


You will need to contact and advise your shopping cart provider of the necessary changes. Some
shopping carts are open source, therefore, you may be able to make changes directly using your
own developer.

Where can I find Development Kits?


Development kits are provided in the following coding languages:
• PHP
• .Net/ C#
• JSP
Please contact our support team to securely obtain this information

Example
An example using PHP coding language to change from MD5 Hash to SHA 256 is shown below:
Step 1: Create string with transaction data via the merchant application.

Example PHP Code:


foreach($_P0ST as $key => $value) {
II create the hash input and URL leaving out any fields that have no value
if (strlen($value) > O) {

?>
<input type="hidden" name="<?php echo($key); ?>" value="<?php echo($value);
?>"l><br>
<?php
if ((strlen($value) > O) && ((substr($key, 0,4)=="vpc_") II (substr($key,0,5) =="user_"))) {
$hashinput . = $key."=" . $value."&";
}
}

4
ConmonwealthBank

Example String Code Generated:


user_Sessionld:567890&vpc_AccessCode=7SA6G H9&vpc_Amount=1OOO&vpc_Card Exp=130S&vpc_CardNu
m:345678901234564&vpc_Com mand=pay&vpc_MerchTxnRef=txn1&vpc_Merchant=MasterCard
ITESTMERCHANT&vpc_Version=1

Step 2: Create SHA-256 HMAC


• Obtain Secure Hash Secret either from existing MD5 calculation or from Merchant Administration
• Calculate SHA-256 HMAC using the secret as a key to produce the secure hash
• Add the hash to the request string to send to the gateway
Example PHP Code: /
}
$hashinput = rtrim($hashinput, "&'');
?>
<!-- attach SecureHash -->
<input type="hidden" name="vpc_SecureHash" value="<?php

---
echo(strtoupper(hash_hmac('SHA256', $hashinput, pack('H * ',$securesecret)))); ?> "I>
<input type="hidden" name="vpc_SecureHashType" value="SHA256">

==
= Example SHA-256 HMAC Generated:
The Secure Hash Secret obtained from MerchantAdministration/ Existing MD5 calculation
3812B7C7D21726AAC9633E1D42BD43A73A329F8906C248EFAF9CEC3S4F8BOC08

Calculate SHA256 HMAC using the secret as a key to produce the secure hash:
7C6866D081DF14FE03FA4168F3328C2D33E192E7 CA5D08F5D4533F044A866D41

Add the hash to the request string to send to the gateway:


user_Sessionld=567890&vpc_AccessCode=7SA6G H9&vpc_Amount= 1 OOO&vpc_CardExp=130S&vpc_CardNu
m=345678901234564&vpc_Command=pay&vpc_MerchTxnRef=txn1&vpc_Merchant=MasterCardlTESTMERC
HANT&vpc_Version=1&vpc_SecureHash:7C6866DOB 1DF14FE03FA4168F3328C2D33E192E7
CASD08FSD4533F0�4A866D41&v_pc_S�cureHashType=SHA256

L3s 1101

You might also like