Developer PortalMerchant Access Portal
Developers
HomeMerchantsDevelopers
Start typing to search…

Security and Checksum Validation

All requests and responses in the PayWeb3 flow are secured using an MD5 checksum value.

This ensures data integrity by allowing both merchant and PayGate to verify that no field values were tampered with in transit.

How the Checksum Works

  • A checksum is generated by concatenating all required (and optional) fields in the correct order.
  • The encryption key is appended to the string.
  • The entire string is hashed using the MD5 algorithm.
  • The resulting checksum is submitted with the request or compared with PayGate’s response.
⚠️

If the checksums don’t match on either side, the transaction will be rejected.

MD5 Overview

  • MD5 is a one-way hash function that outputs a 32-character hexadecimal value.
  • It cannot be reversed or decrypted.
  • It’s supported natively or via libraries in most modern languages.
📘

Always generate checksums server-side. Never expose your encryption key to the frontend or client browsers.

Fields in the Checksum

For requests, the checksum includes:

PAYGATE_ID + REFERENCE + AMOUNT + CURRENCY + RETURN_URL + TRANSACTION_DATE + LOCALE + COUNTRY + EMAIL + PAY_METHOD + PAY_METHOD_DETAIL + NOTIFY_URL + USER1 + USER2 + USER3 + VAULT + VAULT_ID + KEY

For redirects:

PAYGATE_ID + PAY_REQUEST_ID + REFERENCE + KEY

Initiate request example

$encryptionKey = 'secret';

$data = array(
  'PAYGATE_ID'        => 10011072130,
  'REFERENCE'         => 'pgtest_123456789',
  'AMOUNT'            => 3299,
  'CURRENCY'          => 'ZAR',
  'RETURN_URL'        => 'https://my.return.url/page',
  'TRANSACTION_DATE'  => '2018-01-01 12:00:00',
  'LOCALE'            => 'en-za',
  'COUNTRY'           => 'ZAF',
  'EMAIL'             => '[email protected]'
);

$checksum = md5(implode('', $data) . $encryptionKey);

Checksum source:

10011072130pgtest_1234567893299ZARhttps://my.return.url/page2018-01-01 12:00:[email protected]

Checksum result:

59229d9c6cb336ae4bd287c87e6f0220

With optional fields populated:

$data['NOTIFY_URL'] = 'https://my.notify.url/page';
$data['USER1'] = 'UserField';

Checksum source:

[email protected]://my.notify.url/pageUserFieldsecret

Checksum result:

a7e87c0c9070b79c1b163b8c3262068b

Redirect Example

$data = array(
  'PAYGATE_ID'     => 10011072130,
  'PAY_REQUEST_ID' => '23B785AE-C96C-32AF-4879-D2C9363DB6E8',
  'REFERENCE'      => 'pgtest_123456789'
);

$checksum = md5(implode('', $data) . $encryptionKey);

Checksum source

1001107213023B785AE-C96C-32AF-4879-D2C9363DB6E8pgtest_123456789secret

Checksum result

b41a77f83a275a849f23e30b4666e837

Best Practices

Always use md5() on the concatenated string with no delimiters.

Use strtolower() if your platform may generate uppercase hex.

Validate the checksum on all incoming responses before trusting the data.

Never log or expose your encryption key in client-facing interfaces.