RDP Redirect API

Signature

First Phase Request Signature

Below are those steps to generate the first phase payment signature:

1. Build a String of concatenated values of the request fields with the following order:
  ‘mid’, ‘order_id’, ‘payment_type’, ‘amount’, and ‘ccy’.
  Code example (in PHP):
```
/* given $params contains the parameters you would like to sign */
$fields_for_sign = array('mid', 'order_id', 'payment_type', 'amount', 'ccy');
$aggregated_field_str = "";
foreach ($fields_for_sign as $f) {
    $aggregated_field_str .= trim($params[$f]);
}
```
2. For transaction with saved token via Redirect Payment API HOP, the following value(s) need to be further concatenated to the string.
  - payer_id
  Code example (in PHP):
```
$aggregated_field_str .= payer_id;
```
3. While for Redirect Payment API SOP, the following values need to be further concatenated to the string.
  1. String for SOP using card details
    - card_no
      Concatenation of the first-6-digits and last-4-digits of the card_no.
      Example: 4026000002 (from 4026000000000002)
    - exp_date (in ‘MMYYYY’ format)
    - cvv2
      The last digit of cvv2. Example: 3 (from 123)
    Code example (in PHP):
```
$aggregated_field_str .= substr(card_no,0,6).substr(card_no,-4); 
$aggregated_field_str .= exp_date;

$aggregated_field_str .= substr(cvv2,-1);
```
    If cvv2 is not available, you can proceed to concatenate the card_no and exp_date only.
  2. String for SOP using payer ID
    - payer_id
    - cvv2
      The last digit of cvv2. Example: 3 (from 123)
    Code example (in PHP):
```
$aggregated_field_str .= payer_id; 
$aggregated_field_str .= substr(cvv2,-1);
```
    If cvv2 is not available, you can proceed to concatenate the payer_id only.
4. Concatenate the result string from step 1 with the secret key given by RDP when
  setting up your account.Code example (in PHP):
```
$secret_key=
"D716A4188569B68AB1B6DFAC178E570114CDF0EA3A1CC0E31486C3E41241BC6A76424E8C37AB26F096FC85EF9886C8CB634187F4FDDFF645FB099F1FF54C6B8C";
$aggregated_field_str .= $secret_key;
```
5. Finally the signature is generated by applying SHA-512 hash algorithm on the string
  from step 2.
  Code example (in PHP):
```
$signature = hash ('sha512', $aggregated_field_str);
```

Generic Signature

Other than the first phase request, the algorithm for other generated signature should follow the Generic Signature algorithm mentioned in this section.

The algorithm is applicable for this following process or steps:

Authenticating the response values from first phase.
Authenticating the response values from push notification result.
Signing the request for Query Redirection step (the step where Merchant wants to retrieve payment-result out of redirection from RDP – triggered by Merchant’s Redirected URL).
Authenticating the payment result from query redirection step.

Here are the step by step procedures to generate the generic signature:

Prepare the map of request parameters (for authenticating response, prepare the map of payment_response parameters).Sample code for request query-redirection (in PHP):

$rp = array(
'mid' => '1000089029',
'transaction_id' => $_GET['transaction_id'] );

Sample code for authentication response (in PHP):

$response_array = json_decode($json_response, true); 
    if (isset($response_array['payment_response']) {
    unset($response_array['payment_response']['signature'])
    $rp = $response_array['payment_response'];

}

Recursively spin through the array to be sign.Sample code (in PHP):

$data_to_sign = "";

//	at the end of the function call $data_to_sign contains the String required for step 3

recursive_generic_array_sign($rp, $data_to_sign);

/* RECURSIVE FUNCTION DEFINITION */
// use reference-passing to update the variable directly
function recursive_generic_array_sign(&$params, &$data_to_sign) {

//	sort the parameters based on its key 
     ksort($params);
//	Traverse through each component
//	And generate the concatenated string to sign 

    foreach ($params as $v) {
        if (is_array($v)) {
//	In case of array traverse inside
//	And build further the string to sign

        recursive_generic_array_sign($v, $data_to_sign);
        }
        else {
	// Not an array means this is a key=>value map,
	// Concatenate the value to data to sign

            $data_to_sign .= $v;
        }
    }

}

Concatenate the string from step 2 with secret_key (in case for response-parameters the secret-key to be used is the secret-key’s of request_mid, as the mid in response can be different from request_mid for Merchant with multiple payment-mode).Sample code (in PHP):
```
$data_to_sign .= $secret_key;
```
Finally get the signature by applying SHA-512 algorithm on the result string from step 3.
Sample code (in PHP):
```
$signature = hash('sha512', $data_to_sign);
```

Sample of a generic signature function definition in PHP language.


function sign_generic($secret_key, $params)
{
    // a copy-passing, so it's not altering the original 
    unset($params['signature']);

    $data_to_sign = "";
    recursive_generic_array_sign($params, $data_to_sign);

    $data_to_sign .= $secret_key;

    return hash('sha512', $data_to_sign);
}

function recursive_generic_array_sign(&$params, &$data_to_sign)
{
//	sort the parameters based on its key 
     ksort($params);
//	Traverse through each component
//	And generate the concatenated string to sign 

    foreach ($params as $v) {

        if (is_array($v)) {
//	in case of array traverse inside
//	and build further the string to sign
        recursive_generic_array_sign($v, $data_to_sign);

        }
        else {
//	Not an array means this is a key=>value map,
//	Concatenate the value to data to sign

            $data_to_sign .= $v;
        }
    }
}

Additional Note

Please take note that the ‘signature’ field or parameter will not always be available or exist inside RDP response message; and might only be available or exist for these following response codes:

Response Code	Description
0	OK or successful.
-1	Bank or acquirer rejection.
-01	The transaction is on pending status. Merchant need to continue with either polling query API or waiting for push notification (if there is 'notify_url' parameter at request phase).