Accepting payments using Eway

I intend to use eWay as payment gateway but encounter problem after problem in implementing it.

As I don't want to touch credit card details at any point, not storing nor transfering via my site due to PCI requirements, I need to redirect users to page hosted by gateway. Users provide all the details there and gateway returns result confirmation to the page I specified, lets call it payment_done.php.

Now, in payment_done.php I dont know for sure if the confirmation came back from payment gateway itself or someone just POSTed it to my page and its a fake. So my page might receive confirmation, but payment might not be done at all.

Now in payment_done.php I need to ask eway then if this confirmation I received (with some specific transaction ID) came from them and if so the amount is right etc. Eway will return true/false back to me and then I can be sure payments been done for the right amount.

Now problem is that eway seems to allow to query for this confirmation only 100 times a day.

I seem to run out of ideas now and desperately seeking help. What options do I have left? It seems unbelievable that there is no way to make it work without falling into PCI compliance issues, even开发者_StackOverflow using payment gateway hosted page. Thanks in advance for any help.

The answer is twofold.

You verify that the post came from an eway server if the request came from anywhere else, you don't allow the request. This is your main form of security.

In case somebody at eway wants to hack your site, implement this:

Before sending the user for payment, create a long hash. You can use a session variable to hold this.

Pass the hash using the eWAYoption1 parameter.

When eway posts back an answer, check the eWAYoption1 value to verify it matches the current users payment hash.

You must delete the session variable as soon as you have validated it. Even if the hash is wrong, invalidate the session variable and make them start over.

Between the hash, and verifying the posting IP address, you should be pretty safe.