SSL, Security and Hashing
Helcim.js greatly reduces your scope of security and compliance, by establishing a secure connection between the cardholder's web browser and our Helcim API.
In test-mode, an SSL certificate is not required to be present on your checkout page. However, you need to tell Helcim.js to skip the SSL verification by creating an input field with
In production mode, Helcim.js will verify that an SSL is present, or return an error.
New to Helcim.js 2.0 is the configuration. This allows you to control your Helcim.js setting on the back-end (through the Helcim Commerce administration), removing the ability for the end-user to alter your desired settings. You can set a transaction size minimum to deter card-testing on your checkout page, enable amount hashing (see below), decide whether transactions should be purchases, pre-auths or verifications-only and determine whether the configuration is set to test-mode or production.
Amount Hashing is an optional security tool available with Helcim.js. It is used to prevent the end-user from modifying the transaction amount through their web-browser or POST manipulation:
- When enabled in your configuration, a secret Hash key is created. This key should not be shared and be made available to the end-user.
- When setting the amount field, you should also set the amountHash field with the hashed value. This will allow Helcim.js to confirm that the amount received was in-fact set by the merchant and not modified by the customer.
- Helcim.js will hash the amount field with the secret key of your Helcim.js configuration, and make sure that the output matches exactly with the received amountHash value.
- The hash should be performed using sha256, and should be the secret key concatenated with the amount value.
- The amount value should be formatted as #######.## with 2 decimal places and no comma separations.
- If the hashes do not match and Hashing is enforced, Helcim.js will return an error.