Buckaroo Support - EN

Security

  • In order to ensure that Buckaroo can verify the sender of the transaction and make sure that no alterations were made to the message during transport, Buckaroo uses a digital signature for each transaction. This signature consists of a hash of all fields from the message, with the addition of a secret key. The secret key can be set in the Payment Plaza under Profile -> Security.
  • All Buckaroo websites are secured with a HTTPS certificate. Below you’ll find an explanation on how to deal with the transfer from the Merchant’s website to Buckaroo and visa versa.
  • Logging in to the online environment can be protected by two-factor authentication. Below you will find more information.
Calculation of digital signature

The calculation of the signature works as follows:

  • List all fields in the payment request starting with brq_, add_ or cust_, exceptbrq_signature, in the following format:
    brq_veldnaam=Waarde
  • Order these fields alphabetcially based on the field name (brq_amount precedes brq_websitekey). Important: the ordering should not be case-sensitive (brq_active precedes BRQ_AMOUNT). Capital letters in field names should be preserved.
    For example: BRQ_AMOUNT=1.00brq_currency=EURbrq_websitekey=asdfasdfsecret
  • Add all these values together, formatted as stated in step 1, in a string. Do not use any separators or blank spaces.
    For example: BRQ_AMOUNT=1.00brq_currency=EURbrq_websitekey=asdfasdfsecretkey
  • Here you can add the pre-shared secret key to the end of this string.
  • Calculate a hash from this string with the selected (SHA) algorithm. Perform the hash in hexadecimal format.

Important: For the return and the push, the data have to be fully decoded before the signature can be calculated.

Instruction: The use of the selected (SHA) encryption algorithm differs per development platform. Most languages (such as PHP and ASP.NET) have default implementations of the selected SHA algorithm. For other languages, such as classis ASP, implementations for the selected SHA algorithm can be found on the internet.

Security alert HTTPS

Explanation

The Buckaroo payment environment is entirely equipped with SSL certificates. This is visible through the “padlock” that is shown on the webpages and the URL beginning with HTTPS instead of HTTP. Buckaroo recommends to implement both the online store checkout and the redirect page in a HTTPS secured environment. This way the data are illegible should they get intercepted on the internet.

Warning

When the customer returns to the Merchant’s online store after having made a payment, a warning might be displayed. Customers are then warned that they’re leaving the safety of the Buckaroo environment and are redirected to the online store’s unprotected Thank You page.

Measure

In order to avoid an error message, it is important to protect the Thank You page with a SSL certificate. So you’ll have to change the Thank You page from http://return.merchantnaam.nl to https://return.merchantnaam.nl.
In order to verify whether the return URL is working properly, it can be extracted from the message to Buckaroo and placed in a browser. If the URL doesn’t work, it needs to be checked whether this page actually starts with HTTPS. An unprotected Thank You page can cause problems, particularly with regard to the Safari browser on the iPAD and iPHONE platform. The option to proceed is not always available. This results in incomplete payments and thus conversion loss.

Two factor authentication - 2FA

It is possible to get access to the Buckaroo Payment Plaza by means of two-factor authentication. Thus the user can rest assured not just anyone can log in to the Buckaroo Plaza by simply typing in the username and password. Apart from the current log-in data, we recommend you also set an extra verification via your phone with the Google Authenticator. This can be downloaded in the online App store of the relevant telephone type. With two-factor authentication, two of the following forms of authentication must be complied with:

  • Something the user knows (knowledge about the login)
  • Something the user possesses (phone with authentication App)
  • Something the user is (personal characteristic, such as iris recognition or fingerprint)
Authentication steps
  • Log in to the Payment Plaza
  • Press the arrow button behind the login name in the upper right corner
  • Select Settings
  • Select Set up Two-factor authentication (see image)
  • Scan the QR code that becomes visible (swipe image)
  • From now on, you can log in to the Buckaroo Plaza with an automatically generated code