Overview
The "MAC INVALID" error message arises when the Computop Paygate receives a payment request containing an invalid or missing Hash Message Authentication Code (HMAC). The HMAC is a security mechanism intended to verify the authenticity and integrity of messages, thereby preventing manipulations. An HMAC value is submitted to the Paygate in the MAC parameter for every transaction.
Cause
The "MAC INVALID" error message is triggered when the HMAC value passed in the MAC parameter is invalid or missing. This can occur when:
-
The HMAC value has not been correctly calculated. The calculation of the HMAC value involves a password and several parameter values, including PayID, TransID, MerchantID, Amount, and Currency. These values are separated by asterisks and then hashed using the HMAC SHA-256 algorithm and a 32-character key (256-bit).
-
The MerchantID used in the HMAC calculation does not match the MerchantID in the unencrypted request (MerchantID parameter). The case sensitivity of "MerchantID" must be observed during processing. In your analysis, keep in mind that the MerchantID is included in both the encrypted and the unencrypted part of the message.
-
One or more of the parameters required for the HMAC value calculation are missing or invalid.
Solution
To resolve the "MAC INVALID" error message, you should perform the following steps:
-
Verify whether you have correctly calculated the HMAC value. Ensure that you are using the correct password and parameter values, and that these values are correctly separated by asterisks.
-
Ensure that the MerchantID you are using in the HMAC calculation matches the MerchantID in the unencrypted request. Pay attention to the correct case sensitivity.
-
Check whether all the parameters required for the HMAC value calculation are present and valid.
-
If you are still experiencing issues, contact the Computop Helpdesk, who can provide you with the correct hash password.
Please note that the Paygate immediately rejects transactions with incorrect or missing HMAC values without further processing, as this could indicate hacking attempts. Therefore, transactions rejected by the Paygate with the error codes *0044 do not appear in Computop Analytics.