Verifying credit cards (creditcardcheck) on Payone with Python

Question

I'm trying to verify credit card on PayOne (https://www.payone.de/en/).

List of params I've got from According to 3.4.1 Verifying credit cards (creditcardcheck) and 3.1.2 Standard parameter section of documentation PAYONE_Platform_Client_API_EN.pdf (you can request it here https://www.payone.de/en/contact/).

1. I calculate the hash value of (aid, api_version, mid, mode, portalid, responsetype, request, storecarddata) (Python) and pass it to client side.

# build hash on server side: 
import hmac
import hashlib

params = {
    'aid': '123456', 
    'api_version': '3.12', 
    'mid': '123456', 
    'mode': 'test', 
    'portalid': '1234567', 
    'responsetype': 'JSON', 
    'request': 'creditcardcheck', 
    'storecarddata': 'yes'
}
message = ''.join([params[k] for k in sorted(params)])
return hmac.new(b'some-secret-key!', msg=message.encode('utf-8'), digestmod=hashlib.sha384).hexdigest()

2. and then do JSONP (why here is no CORS and RESTful API?) request to with additional params (cardcvc2, cardexpiredate, cardpan, cardtype) and hash that I got from serverside:

https://secure.pay1.de/client-api/?aid=123456&api_version=3.10&cardcvc2=123&cardexpiredate=1801&cardpan=012344567890123&cardtype=M&mid=12345&mode=test&portalid=1234567&responsetype=JSON&request=creditcardcheck&storecarddata=yes&hash=c6a8fe28e6d4cc63139aae5eba41bdb74f877f364a444745f4083a22db0f9861247cd4a0dfa82bd42df1ff7724754ea6&callback_method=ng_jsonp.__req0.finished

3. get result:

{ "customermessage": "An error occured while processing this transaction (wrong parameters).", "errorcode": "2007", "errormessage": "Hash incorrect", "status": "ERROR" }

I'm using python 3.5 and angular2.

What I'm doing wrong here?

PS:

• you can find example php code here, but no python code

PPS:

The hash method has been chosen in the web interface: https://pmi.pay1.de/merchants/?navi=portal&rc=1 (Method hash calculation*: SHA2-384 (recommended method))

Answer 1

Solution is call endpoint without api_version parameter:

# build hash on server side: 
import hmac
import hashlib

params = {
    'aid': '123456', 
#    'api_version': '3.12', 
    'mid': '123456', 
    'mode': 'test', 
    'portalid': '1234567', 
    'responsetype': 'JSON', 
    'request': 'creditcardcheck', 
    'storecarddata': 'yes'
}
message = ''.join([params[k] for k in sorted(params)])
return hmac.new(b'some-secret-key!', msg=message.encode('utf-8'), digestmod=hashlib.sha384).hexdigest()

PS

In the same time api_version is noted as required parameter at section 3.1.2 Standard parameter and as parameter that should be hashed at section 3.1.4 Calculation of the HASH value. So it looks like type in documentation.

Answer 2

Per default, the payone merchant accounts use md5 instead of sha384

# build hash on server side: 
import hmac
import md5
import hashlib

params = {
        'request': 'creditcardcheck', 
        'responsetype': 'JSON',       
        'mode': 'test',               
        'mid': '12345',                                
        'aid': '54321',                                
        'portalid': '2222222',                         
        'encoding': 'UTF-8',                           
        'storecarddata': 'yes', 
}
message = ''.join([params[k] for k in sorted(params)])
print message

m = hashlib.md5()
m.update(message)
m.update("secretkey")
print m.hexdigest()

This outputs:

54321UTF-812345test2222222creditcardcheckJSONyes
a435bff18234ec02a2dffa4d4850a08f

Then, open the URL and make sure all parameters except credit card params (and callback method) passed in the URL are in the hash as well. In this example it's:

https://secure.pay1.de/client-api/?aid=54321&cardcvc2=123&cardexpiredate=1801&cardpan=4111111111111111&cardtype=V&mid=12345&mode=test&portalid=2222222&responsetype=JSON&encoding=UTF-8&request=creditcardcheck&storecarddata=yes&hash=a435bff18234ec02a2dffa4d4850a08f