Pangalink - payment method for stores
Banking link (pangalink) is a method of exchanging purchase and sale data between a customer, a bank and a shop, which is prevalent primarily in Estonia. This method is provided by banks as a paid service to stores, and in addition to the possibility of payment, it is possible to authorize users (which is used, for example, at educational sais.ee ). Why is this necessary? Because for the client it is very convenient, judge for yourself - the whole process of paying the bill:
This is partly why there are already arved.ee in Estonia and practically every store has bank icons.
In general, the work required:Cryptography
Since everything happens in the SSL mode, it is necessary to have a bank public key to generate a message to the bank and vice versa, to have a private key to unlock the message that the bank generated by the public key of the store. Thus, the store's private key looks like this (the data in the base64 encoding is more simple) For work on php
I write to php, store the keys in a .pem file and use the POST method to transfer everything to the bank with a form. Namely .. We create a form with the POST method, as an action we set the URL of the bank where the data is received. For hanza, this is www.hanza.net/cgi-bin/hanza/pangalink.jsp . Now we prescribe hidden-fields with names like VK_RETURN (link to return to after payment). Each bank has its own variables and its own order. The whole business is signed by the same VK_MAC variable, which is generated by the openssl_pkey_get_private and openssl_sign functions. After the product is paid, you must confirm the payment on your website. To do this, we tear out the REQUEST variable and send us the bank and confirm the signature using openssl_pkey_get_public and openssl_verify from the same VK_MAC. Well, if the signature of the bank is correct and VK_SERVICE = 1101, then everything is in order. Here's an example of zone.ee - pay.php with a payment form, notify.php with confirmation and config.php with settings. This can be done in c ++ , but naturally with big nerves.
- The client selects the necessary goods and as a result receives an account and a link to the bank.
- Inside the link, all payment and invoice data are protected, and confirmed with a crypto-resistant signature (signature). The client pays a full informative account at the bank.
- The bank redirects the client back to the site again with all the payment information along with the signature.
This is partly why there are already arved.ee in Estonia and practically every store has bank icons.
In general, the work required:- unique id, issued in the bank after the conclusion of the contract
- certificates - bank's public key and own public and private keys
- proper data exchange program
Cryptography
Since everything happens in the SSL mode, it is necessary to have a bank public key to generate a message to the bank and vice versa, to have a private key to unlock the message that the bank generated by the public key of the store. Thus, the store's private key looks like this (the data in the base64 encoding is more simple) -----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC6GI5uaA7hEkgeP98VHL6TSxJwwPI+Mh+rFx KQPCgarT3/nZCS
Gz1r223+gfH/adV4IDvlbYT18VQ4vSspX+QRAidFeZvsfv99Fe wnwNoTL3LwYp/K
r9eW5YCpCEe8Crziks0vf92PNoHgNAL0iVo0Zma1ScDBSPBlQJ oZ1UiwoQIDAP//
-----END RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC6GI5uaA7hEkgeP98VHL6TSxJwwPI+Mh+rFx KQPCgarT3/nZCS
Gz1r223+gfH/adV4IDvlbYT18VQ4vSspX+QRAidFeZvsfv99Fe wnwNoTL3LwYp/K
r9eW5YCpCEe8Crziks0vf92PNoHgNAL0iVo0Zma1ScDBSPBlQJ oZ1UiwoQIDAP//
-----END RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC6GI5uaA7hEkgeP98VHL6TSxJwwPI+Mh+rFx KQPCgarT3/nZCS
Gz1r223+gfH/adV4IDvlbYT18VQ4vSspX+QRAidFeZvsfv99Fe wnwNoTL3LwYp/K
r9eW5YCpCEe8Crziks0vf92PNoHgNAL0iVo0Zma1ScDBSPBlQJ oZ1UiwoQIDAP//
-----END RSA PRIVATE KEY----- And instead of PRIVATE, respectively, the public key has other data and a PUBLIC header. Naturally, the private key is private and if it suddenly lights up, anyone with sufficient skill can sign a fictitious payment for the goods. Keys can be generated using OpenSSL .For work on php
I write to php, store the keys in a .pem file and use the POST method to transfer everything to the bank with a form. Namely .. We create a form with the POST method, as an action we set the URL of the bank where the data is received. For hanza, this is www.hanza.net/cgi-bin/hanza/pangalink.jsp . Now we prescribe hidden-fields with names like VK_RETURN (link to return to after payment). Each bank has its own variables and its own order. The whole business is signed by the same VK_MAC variable, which is generated by the openssl_pkey_get_private and openssl_sign functions. After the product is paid, you must confirm the payment on your website. To do this, we tear out the REQUEST variable and send us the bank and confirm the signature using openssl_pkey_get_public and openssl_verify from the same VK_MAC. Well, if the signature of the bank is correct and VK_SERVICE = 1101, then everything is in order. Here's an example of zone.ee - pay.php with a payment form, notify.php with confirmation and config.php with settings. This can be done in c ++ , but naturally with big nerves.')
Source: https://habr.com/ru/post/13688/
All Articles