skey

(in payment response)

skey is a payment gateway generated returning hash string to ensure the payment result data integrity that passed to the merchant system. Merchants or developers MUST verify this hash string properly and compare the order ID, currency, amount, and the payment date/time, to protect self-interest from being cheated by a fraudster/hacker. It uses a “Secret Key” (like a private key) in combination with a data string for the hashing process.

Please note that there are other “skey” with different formulas in Merchant Request APIs’ parameters. Try not to confuse yourself with this payment response “skey”.

skey was encrypted twice using MD5 encryption hash function and consists of the following information (must be set in the following orders) :

First hash string

  1. Transaction ID

  2. Order ID

  3. Status

  4. Merchant ID (domain)

  5. Amount

  6. Currency

Final hash string

  1. Payment Date/Time

  2. Merchant ID (domain)

  3. First hash string

  4. Approval Code

  5. Secret Key

Formula to generate skey

pre_skey = md5( txnID & orderID & status & merchantID & amount & currency)

skey = md5( paydate & merchantID & pre_skey & appcode & secret_key )

Example to generate skey for PHP developer

<?php

$sec_key ="xxxxxxxxxx"; //Replace xxxxxxxxxx with your Secret_Key

/********************************
*Don't change below parameters
********************************/
$tranID 	=	$_POST['tranID'];
$orderid 	=	$_POST['orderid'];
$status 	=	$_POST['status'];
$merchant 	=	$_POST['domain'];
$amount 	=	$_POST['amount'];
$currency 	=	$_POST['currency'];
$appcode 	=	$_POST['appcode'];
$paydate 	=	$_POST['paydate'];
$skey 	              =	$_POST['skey']; //Security hashstring returned by PG

/***********************************************************
* To verify the data integrity sending by PG
************************************************************/
$key0 = md5( $tranID.$orderid.$status.$merchant.$amount.$currency );
$key1 = md5( $paydate.$merchant.$key0.$appcode.$sec_key );
//key1 : Hashstring generated on Merchant system 
// either $merchant or $domain could be one from POST
// and one that predefined internally 
// by right both values should be identical

if( $skey === $key1 ){
  // If matched, perform another extra checking before approved order

} elseif( $skey != $key1 ){
  // If unmatched, reject the order or merchant might send query to
  // PG using Merchant requery to double check payment status
  // for that particular order.
} else { 
  // error or exception case 
}

?>

Last updated