How are the Security configuration settings in Payment Pages used?

x_fp_hash

x_MD5_Hash

x_SHA1_Hash

This setting determines the encryption algorithm used to generate hash values. 

Setting it to MD5 means that:

• merchant must calculate x_fp_hash using HMAC-MD5


• E-xact will sign the transaction results using MD5 and return it as x_MD5_Hash
  

Setting it to SHA1 means that:

• merchant must calculate x_fp_hash using HMAC-SHA1
  


• E-xact will sign the transaction results using SHA1 and return it as x_SHA1_Hash
  

Transaction Key

The Transaction Key is used by the merchant to generate x_fp_hash, which needs to be included as part of the payment request form. 

The x_fp_hash value allows E-xact to validate that the payment request was generated by the merchant's server, and that key parts of the payment request such as amount and timestamp have not been modified by a third party.

x_MD5_Hash

x_SHA1_Hash

When E-xact sends transaction results to the merchant, we'll sign it with a cryptographic hash and return the hashed value as either x_MD5_Hash or x_SHA1_Hash depending on the "HMAC Calculation" setting.  The merchant can use this value to verify that the message is coming from E-xact.