How can I verify that the post-sale request really comes from the PostFinance servers?

There are 2 possibilities which can be combined if so wished:

  1. You can verify the originating IP address. PostFinance uses a range of IP addresses that can be configured in your firewall.
  • It is possible to configure an SHA string (SHA-out) in the technical information page of your PostFinance account.
    Because only you and PostFinance know the digital signature you entered into your account, you can be certain the request actually comes from our server.
    Because this SHA string will have been constructed using the parameters we returned to you in the request, you can also be sure that they have not been tampered with.
    The SHA-out string used after the payment is not to be confused with the SHA-in string used to check a transaction before payment.
    PostFinance creates a string by concatenating the value of the following parameters: OrderID + Currency + Amount + PM + Acceptance + Status + CardNo + Alias + PayID + NCERROR + BRAND + StringEnteredInTheTechnicalInfoPage.
    If an alias is not used, do not use this field.
    When constructing the hash string, do not use ‘+’ or spaces between the fields.