This parameter is used to verify the passbacks for you. Depending on what parameter set you are using, this will either appear as ‘key’ or ‘x_MD5_Hash‘. The MD5 hash is also provided to help you verify the authenticity of INS posts. On INS posts the hash is returned in the md5_hash parameter.

One of the Md5 hash components involves a secret word that can be set by you. To set it, follow these directions:

Setting Your Secret Word:

1. Login to your account.
2. Click on “Look and Feel” found on your account homepage.
3. Enter your secret word into the data field labeled, “Your Secret Word (16 Character Limit)”. As labeled, the only limit is that it must be 16 characters or less.
4. Click “Save Changes” when you are finished.

Please read the related article below for more information about the MD5 Specifications.
How do I use the MD5 Hash?

The MD5 hash is provided to help you verify the authenticity of a sale. This is especially useful for vendors that sell downloadable products, or e-goods, as it can be used to verify whether sale actually came from 2Checkout and was a legitimate live sale. We intentionally break the hash code for demo orders so that you can compare the hash we provide with what it should be to determine whether or not to provide the customer with your goods.

To calculate the MD5 hash, you need to make a string that contains the information described below and pass it in as the value to your scripting languages MD5 function. Below is an example:

md5 ( secret word + vendor number + order number + total )

The secret word is set by yourself on the Site Managment page. The vendor number is your numerical vendor/seller ID number. The order number is the order number for the sale. The total is the numerical value for the total amount of the sale.

Demonstration:

Secret Word => tango
Vendor Number => 123456
Order Number => 9999999
Total => 5.99

md5hash = md5( tango12345699999995.99 )

It is important to note that the MD5 hash must also be converted to upper case letters for a clean comparison. How this is done depends on the scripting language that you use. Below are some examples of how to compute the MD5 hash using PHP. This should illustrate how this process works.

The following code would be applicable to orders placed using our Plug and Play cart and our proprietary third party set of parameters.

$string_to_hash = “tango123456″ . $_POST["order_number"]
.
$_POST["total"];
$check_key = strtoupper(md5($string_to_hash));

echo (”Returned MD5 Hash : ” . $_POST["key"]
. “<BR>”);
echo (”Should be : ” . $check_key . “<BR>”);

if($check_key == $_POST["key"]){
// At this point the expected key and the returned key match, so the customer should be given access to the download
// This is where you would want to put the code or page for the download
echo (”<center>They match!</center>”); }
else {
// At this point the keys do not match, so either the attempt was fraudulent or a demo order
// This is where you would put the code or page for an unsuccessful attempt
echo (”<center>They do NOT match! Was this a demo order?</center>”);}

The following code would then be applicable to orders placed using the Authorize.net
parameter set.

$string_to_hash = “tango123456″ . $_POST["x_trans_id"]
.
$_POST["x_amount"];
$check_key = strtoupper(md5($string_to_hash));

echo (”Returned MD5 Hash : ” . $_POST["x_MD5_Hash"]
. “<BR>”);
echo (”Should be : ” . $check_key . “<BR>”);

if($check_key == $_POST["x_MD5_Hash"]){
// At this point the expected key and the returned key match, so the customer
should be given access to the download
// This is where you would want to put the code or page for the download
echo (”<center>They match!</center>”); }
else {
// At this point the keys do not match, so either the attempt was fraudulent
or a demo order
// This is where you would put the code or page for an unsuccessful attempt echo (”<center>They do NOT match! Was this a demo order?</center>”);}

The MD5 hash is also provided to help you verify the authenticity of INS posts. The MD5 hash that is sent with INS posts is a hash of sale_id + vendor_id + invoice_id + secret word in the md5_hash parameter.

Demonstration:

sale_id => 9999999999
vendor_id => 123456
invoice_id => 1111111111
Secret Word => tango
md5hash = md5( 99999999991234561111111111tango )

The following code would be applicable to orders placed using our Plug and Play cart and our proprietary third party set of parameters.

$string_to_hash = $_POST[“sale_id”] . “123456” . $_POST[“invoice_id”] . “tango”;
$check_key = strtoupper(md5($string_to_hash));
echo (“Returned MD5 Hash : ” . $_POST[“md5_hash”]
. “
”);
echo (“Should be : ” . $check_key . “
”);
if($check_key == strtoupper($_POST[“md5_hash”])){
// If the expected key and the returned key match the authenticity of the message has been validated.
echo (”They match!”); }
else {
// At this point the keys do not match.
// This is where you would put the code for an unsuccessful attempt.
echo (“They do NOT match!”);}

Please note that help with implementing the MD5 hash into your return script is beyond the realm of 2Checkout.com’s support. This document is provided merely as a reference document to help point you in the right direction. How the MD5 hash is computed is dependent upon the scripting language that you use. Implementation of any MD5 hash checking is solely on your end or your server. 2Checkout.com can not provide you with support in implementing this or troubleshooting your implementation. We provide you with the hashes as a convenience to help you protect your digital goods.

The following links may be of interest to you if you are looking for more information on the MD5 algorithm and its use.

http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
http://en.wikipedia.org/wiki/MD5
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfSystemSecurityPolicyHashClassMD5Topic.asp

We have also intentionally designed the MD5 hash not to work for demo sales as was explained earlier. If the sale is in demo mode, the order number used to create the hash will be forced to a one, which will cause the hashes to be different when you compare them. If you wish to test the hashes, you’ll have to place a live test order using a real credit card number.

When an order is initially placed, 2checkout.com will gain an authorization from the customer’s bank to guarantee that the funds will be available. The length of time these authorizations are valid varies depending upon the bank.

If you mark an order as shipped before the authorization expires, there will be no need to gain a reauthorization. However, if the authorization expires before you provide the shipping details, the order will be moved to the reauthorization section of your mark shipping page and you will need to click the button to reauthorize the card before you will be able to mark the order as shipped. The fee for each reauthorization attempt, whether it is successful or not, is $0.25 USD.

If a reauthorization is successful, you will receive a confirmation and the order will be moved back to the regular area of your Mark Shipping screen so that you can enter the tracking details.

In some cases, the reauthorization will fail to process at the customer’s bank. This will often happen if the funds are no longer available or if the customer’s card has recently expired. When the reauthorization fails you have 3 options for proceeding with the sale.

1. You can simply wait until the next day and attempt the authorization again (you can only attempt to reauthorize an order once a day).

2. You can send an email to your customer advising them that their bank is now declining the transaction. They can simply contact their bank to have them remove any blocks.

3. You can send the customer a request for payment for the missing amount. To send a request for payment you can simply click on the ‘Create Invoice’ button from your Account Homepage. This will allow the customer to provide updated billing and credit card information.

Please note, however, that the request for payment will actually create a brand new sale number in the system. You will want to make sure that you cancel the original order for your own records.

Internet fraud, credit card fraud, and identify theft are on the rise. 2CO combines a number of industry-leading external and internal resources to identify potentially fraudulent orders. These, in combination with your own diligence and familiarity with your consumers will go a long way toward reducing the number of fraudulent orders and charge backs experienced.

Downloadable goods experience higher rates of fraudulent activity due to the almost instantaneous access to the product purchased. Some downloadable products (such as software) experience even higher levels of fraud.

We recommend the that following actions are a part of your sales process:

• Tangible products should not be shipped until you receive an automatic sales email notification that states the sale is PASSED.
• Look for IPs from high-fraud countries.
• Contact 2CO’s Fraud Dept (FRAUD@2Co.com) with any concerns or to request a representative manually review an order.
• Be familiar with 2CO’s refund return policy and charge back procedures.
• Link to the 2Co privacy policy.

Privacy Policy: https://www.2checkout.com/documentation/privacy.htm

Operating Regulations: https://www.2checkout.com/documentation/operating.html

• Be sure that customers are completely familiar with your delivery process. If you are shipping expensive items, use a package service that provides proof of delivery. There will always be some customers out there who falsely claim that a package was not received (and occasionally there will be packages that truly are lost or stolen). Since you bear the responsibility for those losses, you should take care not to put large amounts of money at risk.
• Respond to 2Checkout.com’s requests for information promptly.
• Make customers aware that 2Checkout.com is your authorized reseller. A link to our ticket system or a list of the phone number for our customer care center can be posted on your website.
• Thoroughly describe your offering, show photos, and disclose any important limitations. Ensuring the customer’s expectations match what arrives in the mail will save you and the customer time, money and aggravation.
• Respond to customer requests for assistance promptly. If an issue can not be resolved to the customer’s satisfaction offer them a partial or full refund.
• Manually review all incoming orders for fraud. If you have any suspicions about an order, please contact our Fraud Department at fraud@2co.com for assistance.
• To ensure that they wanted to place multiple orders, contact all customers placing more than one order within a short amount of time.
• If you are selling a product/service that entails multiple billings, make sure that the customer is fully aware of the future billings and your cancellation policy.