When the Hosted Payment Form solution is implemented, the transaction data must be protected as it is being passed to the payment page via the customer’s browser. The data is protected by use of Hashing. Hashing is used to produce a unique “signature” for the data being passed (it is generated using not only the data being transmitted, but also secret data that is not transmitted, so it is impossible to recreate the hash digest with just the data that is passed via their browser). The hash signature is then re-calculated by our system on receipt of the transmitted data, and if it does not match the hash signature that was transmitted with the data, then the data has been tampered with, and the transaction will stop with an error message. The same process (in reverse) should be carried out by your site on receipt of the transaction results.

Examples of this type of tampering could be lowering the transaction price (say from £100.00 down to $1.00), or making a failed transaction look like an authorised one. This is called a “man-in-the- middle” attack.