What is site security and how does it work?

To protect your payments from unauthorised modification, you can follow the steps on this page to calculate a site security hash, to be submitted in a field called sitesecurity on your server-side payment form. The hash is generated from a selection of designated fields, including a password that will be agreed upon with our Support Team. When constructing the hash, you must ensure that you use the values present in your own server session and not the posted values.

  Do I need it?


The configuration documented on this page is suitable in the following use-cases:

  • New integrations with Payment Pages
  • Digital wallet integrations that utilise our listener

This prevents the customer from modifying important aspects of the transaction (e.g. the amount and currency) before the authorisation request is submitted to us.


This configuration is not applicable in the following use-cases:

  • Digital wallet integrations that utilise your own listener
  • When using our API to host the checkout experience on your own server

  How it works


We will read the fields in your request prior to processing an authorisation and re-generate the hash on our servers. For valid requests, the site security hash that we generate must match the value submitted in your request. This indicates the request has not been modified by the customer or a third party.

Site_security_-_Hash_matches.svg


If someone tries to modify the value of one of your designated fields, the hash we calculate on our servers will not match the hash submitted in the request. In this case, the payment will not be completed and an error message is shown to the customer.

Site_security_-_Hash_mismatch.svg

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request