1

I'm implementing a MasterCard payment gateway to a website. In the official guide, JavaScript is used to pass the amount to be charged, and to which merchant the money goes to.

It looks like a user can potentially change any of the values and have the gateway return a success message back to us.

Even the success message doesn't seem to have much details for revalidation.

I can't think of a way to prevent this other than somehow converting the JavaScript to server-side code.

Official guide: https://ap-gateway.mastercard.com/api/documentation/integrationGuidelines/hostedCheckout/integrationModelHostedCheckout.html

Yojimbo
  • 23,288
  • 5
  • 44
  • 48
nfree25
  • 123
  • 1
  • 6

1 Answers1

0

I just found a solution on this. From https://ap-gateway.mastercard.com/api/documentation/integrationGuidelines/hostedCheckout/integrationModelHostedCheckout.html

you can find the section Obtain the Payment Result. You would see when creating the checkout_session, you need to input parameter amount (*not compulsory in API documentation).

The line: -d "order.amount=100.00" \

so that when you put the session id in:

Checkout.configure({
...
       session: { 
            id: "SESSION000292090496253818604576"
       },
...
});

what you say "potentially change any of the values" would be prevented.

Summary: just add amount parameter in your server-side code when obtaining session id.

shizhen
  • 12,251
  • 9
  • 52
  • 88
Equruler
  • 1