Card Blocking allows you to choose which card types can be accepted for payment or stored for future-dated payments.

Payment request

<form method="POST" action="https://pay.sandbox.realexpayments.com/pay">
<input type="hidden" name="TIMESTAMP" value="20160513162110">
<input type="hidden" name="MERCHANT_ID" value="Merchant ID">
<input type="hidden" name="ACCOUNT" value="internet">
<input type="hidden" name="ORDER_ID" value="N6qsk4kYRZihmPrTXWYS6g">
<input type="hidden" name="AMOUNT" value="10000">


<!-- Begin Card Block Fields -->
<input type="hidden" name="BLOCK_CARD_TYPE" value="commercialdebit|commercialcredit">
<!-- End Card Block Fields -->


<input type="hidden" name="CURRENCY" value="EUR">
<input type="hidden" name="SHA1HASH" value="308bb8dfbbfcc67c28d602d988ab104c3b08d012">
<input type="hidden" name="AUTO_SETTLE_FLAG" value="1">
<input type="hidden" name="HPP_VERSION" value="2">
<input type="hidden" name="MERCHANT_RESPONSE_URL" value="https://www.example.com/responseUrl">
<input type="hidden" name="CARD_PAYMENT_BUTTON" value="Complete Payment">
<input type="submit" value="Click here to Purchase">
</form>

Request syntax

Type indicates whether the field is Mandatory (M), Optional (O), or Conditional (C) - depending on another optional field. Unless otherwise stated in the description, the allowed special characters in an alphanumeric string field are [/.-_‘,␣]

Element/Field Category Format Type Length Description
BLOCK_CARD_TYPE string alphanumeric O 13-61   Specifies the card type to be blocked.  Allowable values:
consumercredit
consumerdebit
commercialdebit
commercialcredit
When using multiple card types, each card type must be pipe separated - |

Generate hash

Follow the steps in this section to build the request security hash, concatenate the specified fields and hash them using the SHA-1 algorithm, concatenate the hashed string with your Shared Secret, hash it again, and add the resulted string to the request.

In addition to SHA-1, you can also generate your hash using SHA-256. The resulting hash should be placed in the <sha256hash> tag instead of the <sha1hash> tag. For more information, contact our support team at ecomsupport@globalpay.com.

info

Build the Request hash

1. Using the SHA-1 algorithm, hash a string made up of the request values

The blueprint of the hash for an HPP request using Card Blocking is shown below. Each block option passed in the payment request must be pipe separated when creating the hash:

"timestamp.merchantid.orderid.amount.currency.block_card_type|block_card_type"


Based on the above example, our initial string will be:

"20160513162110.Merchant ID.N6qsk4kYRZihmPrTXWYS6g.10000.EUR.commercialdebit|commercialcredit"
2. Concatenate the hashed string with your Shared Secret


After step 1, you'll have a string like:

“28b85cd34d0e0d6b243d58f0e9f7f4bf7da1b882”


You'll need to concatenate this with your Shared Secret, for example:

"28b85cd34d0e0d6b243d58f0e9f7f4bf7da1b882.Shared Secret"
3. SHA-1 hash the concatenated string

Our final string that we add to the request should be a hash, using the SHA-1 algorithm of your concatenated string. For example:

“947903969e7aaf996164c680a6669805fe405269”

Check hash

Follow the steps in this section to build the response security hash, concatenate the specified fields, and hash them using the SHA-1 algorithm, concatenate the hashed string with your Shared Secret, hash it again, and add the resulted string to the request.

Check the Response hash

1. Using the SHA-1 algorithm, hash a string made up of the response values

The blueprint of the hash for the response is shown below:

timestamp.merchantid.orderid.amount.currency


So, based on the above example, our initial string to check the hash of the response will be:

20160513162110.Merchant ID.N6qsk4kYRZihmPrTXWYS6g.10000.EUR
2. Concatenate the hashed string with your Shared Secret

After step 1, you'll have a string like:

28b85cd34d0e0d6b243d58f0e9f7f4bf7da1b882


You'll need to concatenate this with your Shared Secret, for example:

"28b85cd34d0e0d6b243d58f0e9f7f4bf7da1b882.Shared Secret"
3. SHA-1 hash the concatenated string and compare

Our final string that we add to the request should be a hash, using the SHA-1 algorithm of your concatenated string. For example:

“947903969e7aaf996164c680a6669805fe405269”


Global Payments creates the hash in the same way on our side and sends it back. In order to confirm that a response hasn't been tampered with, compare what you've generated with what was returned in the sha1hash element.

Internal Title
HPP Reference
Show Content Nav
On
Tags