helcim.com

SSL, security and hashing

Helcim.js greatly reduces your scope of security and compliance, by establishing a secure connection between the cardholder's web browser and our Helcim API.

SSL/TLS Certificate

While the connection between the customer and Helcim's services is secured, the customer cannot see the secure https connection established by the JavaScript without examining the source code. Therefore, from an appearance stand-point, it is important the merchants have an SSL certificate installed on the displayed page as customers have been trained to look for one. It is also good practice to use SSL whenever capturing customer information, even if sensitive cardholer information is handled by Helcim.

In test-mode, an SSL certificate is not required to be present on your checkout page. However, you need to tell Helcim.js to skip the SSL verification by creating an input field with id=test value=1.

In production mode, Helcim.js will verify that an SSL is present, or return an error.

Hashing of the amount value

Amount hashing is an optional security tool available with Helcim.js. It is used to prevent the end-user from modifying the transaction amount through their web-browser or POST manipulation:

  • When enabled in your configuration, a secret Hash key is created. This key should not be shared and be made available to the end-user.
  • When setting the amount field, you should also set the amountHash field with the hashed value. This will allow Helcim.js to confirm that the amount received was in-fact set by the merchant and not modified by the customer.
  • Helcim.js will hash the amount field with the secret key of your Helcim.js configuration, and make sure that the output matches exactly with the received amountHash value.
  • The hash should be performed using sha256, and should be the secret key concatenated with the amount value.
  • The amount value should be formatted as #######.## with 2 decimal places and no comma separations.
  • If the hashes do not match and Hashing is enforced, Helcim.js will return an error.

📘

Hashing specifications

Hash Method = sha256
Value = secret_key concatenation with amount
Amount Format = #######.##

<?php

    // SET VALUES
    $secretKey = '13dbdeadcde3e5f7b7dc5bf7041850a5660e0587'; // FOUND IN YOUR CONFIG
    $amount = '2500.00';

    // ONE-WAY HASH
    $amountHash = hash('sha256',$secretKey.$amount);

?>

Updated about 1 month ago