Here is an example of some transaction variables:

MerchantID: YourCo-1234567
Amount: 100.00
Currency Code: 826
Order ID: 12345

These variables would be concatenated (in a specific order) and combined with data known only to your system and ours (the account password and PreSharedKey) which is NOT transmitted with the transaction request. This produces the following string:

MerchantID=YourCo- 1234567&Password=MyPassword&PreSharedKey=ASecretKey&Amount=10000&CurrencyCode=826 &OrderID=12345

A simple hash method would output the following hash digest (or “Signature”), when this string is passed into a hashing (in this case SHA1) function (which is also transmitted with the transaction variables):

5c6b9c913b2301e9aa6ff488b06e09273cded2a5

If the amount was altered from £100.00 to £1.00:

Merchant ID: YourCo-1234567
Amount: 1.00
Currency Code: 826
Order ID: 12345

When these variables are received by our system, they would be used to produce the following string:

MerchantID=YourCo- 1234567&Password=MyPassword&PreSharedKey=ASecretKey&Amount=100&CurrencyCode=826& OrderID=12345

Which when passed into the same hashing function would produce the following hash digest (or “Signature”):

4ba1164acbec732c18cd6e5f632adcdd4b440237

This demonstrates that changing any of these variables, even just a single character, results in a very different resulting hash digest, and makes the process of detecting variable tampering very easy.