Helcim Logo Support & Tutorials

© Copyright 2006-2018 Helcim Inc.

All Rights Reserved.

Helcim.js »

SSL, Security and Hashing

Helcim.js greatly reduces your scope of security and compliance, by establishing a secure connection between the cardholder's web browser and our Helcim Commerce API.

SSL/TLS Certificate

Unfortunately the customer cannot see the secure https connection established by the JavaScript without examining the source code. Therefore, from an appearance stand-point, it is important the merchants have an SSL certificate installed on the displayed page as customers have been trained to look for one. It is also good practice to use SSL whenever capturing customer information, even if sensitive cardholer information is handled by Helcim.

In test-mode, an SSL certificate is not required to be present on your checkout page. However, you need to tell Helcim.js to skip the SSL verification by creating an input field with id="test" value="1".

In production mode, Helcim.js will verify that an SSL is present, or return an error.

Helcim.js Configuration

New to Helcim.js 2.0 is the configuration. This allows you to control your Helcim.js setting on the back-end (through the Helcim Commerce administration), removing the ability for the end-user to alter your desired settings. You can set a transaction size minimum to deter card-testing on your checkout page, enable amount hashing (see below), decide whether transactions should be purchases, pre-auths or verifications-only and determine whether the configuration is set to test-mode or production.

Amount Hashing

Amount Hashing is an optional security tool available with Helcim.js. It is used to prevent the end-user from modifying the transaction amount through their web-browser or POST manipulation:
  • When enabled in your configuration, a secret Hash key is created. This key should not be shared and be made available to the end-user.
  • When setting the amount field, you should also set the amountHash field with the hashed value. This will allow Helcim.js to confirm that the amount received was in-fact set by the merchant and not modified by the customer.
  • Helcim.js will hash the amount field with the secret key of your Helcim.js configuration, and make sure that the output matches exactly with the received amountHash value.
  • The hash should be performed using sha256, and should be the secret key concatenated with the amount value.
  • The amount value should be formatted as #######.## with 2 decimal places and no comma separations.
  • If the hashes do not match and Hashing is enforced, Helcim.js will return an error.

Code Samples

Hashing Code

Hash Method = sha256
Value = secret_key concatenation with amount
Amount Format = #######.##

Amount Hashing Code Sample PHP


	$secretKey = '13dbdeadcde3e5f7b7dc5bf7041850a5660e0587';
	$amount = '2500.00';

	$amountHash = hash('sha256',$secretKey.$amount);