Worldpay Response Check MAC Value

Question

I'm developing a small PHP application that allows users to pay on my website using the worldpay hosted integration.

I'm using the worldpay test environment which is https://secure-test.worldpay.com/jsp/merchant/xml/paymentService.jsp I am also using the test cards.

I have form at /index.php on my website, when submitted it posts the form values (amount / cartId / currency / email / etc...) to /xml.php where I capture the values and insert them into my XML. Using cURL I send this XML to worldpay and then user is redirected to the worldpay payment page to complete the purchase. All working so far.

I have setup custom result URLs as described in the docs.

$successURL = urlencode( "/callback.php?paymentStatus=success");
$failureURL = urlencode( "/callback.php?paymentStatus=failure" );
$pendingURL = urlencode( "/callback.php?paymentStatus=pending" );
$errorURL = urlencode( "/callback.php?paymentStatus=error" );

In my callback.php I am checking $_GET['paymentStatus'] and redirecting to index.php with a $_SESSION['paymentStatus']. Something like;

$paymentStatus = $_GET['paymentStatus'];

if( $_SESSION['paymentStatus'] = 'success'; ){
    header('Location: index.php');
    exit();
}
// etc

In my index.php I am checking $_SESSION['paymentStatus'] and displaying a message accordingly.

All appears to be working so far during my testing, however I am confused about securing payments with the MAC. I have been assigned a MAC Secret value by the worldpay admins but I'm not sure how I should be using this.

I understand I need to compare the MAC value sent in the response of worldpay with the MAC value I have been provided with in order to ensure it's genuine. The problem is I have no idea where to check for their MAC response?

When I submit a (successful) payment in the test environment I am redirected back to my index page and my custom success message is displayed. When I look at the console and check the network tab I can see various files with response headers but none of them contain anything like their example;

https://www.mymerchant.com/Success.jsp?orderKey=MYADMINCODE^MYMERCHANT^T0211010&paymentStatus=AUTHORISED&paymentAmount=1400&paymentCurrency=GBP&mac2=fdbdbc16fbe8d8e56159fc332a5293e32b3d6aea61f10849da5c28819ff56711

Some of the files I see in my network tab are;

https://hpp-sandbox.worldpay.com/app/hpp/62-0/payment/result?validInputs=true&ajax=true

https://example.com/callback.php?paymentStatus=success

ddc.html

index.php

process

According to their docs;

Worldpay's redirect message to the result URL contains a number of parameters that include:

orderKey, paymentAmount, paymentCurrency, paymentStatus

I have added the following to my callback.php;

print_r($_GET);
die();

This is what I see;

Array ( [paymentStatus] => success )

Any ideas as to where I should be checking for these parameters? Would it be that I am using the test environment and not the live one, perhaps these values aren't sent in the test environment?

Their docs are kinda all over the place...