Shopping cart interface help.

• Introduction
  • Who needs this information
  • Terminology
  • Basic information about SCI
  • How SCI works
  • Preparation
• Accepting and processing payments
  • SCI overview
  • Payment Request Form
  • Payment Successful Form
  • Payment Failed Form
  • Payment Status Form
  • Simple example of forms for accepting payments
  • Verification of SCI server's data
• Security considerations
• Change log

Introduction

This document describes functions and specific details of working with Liberty Reserve Shopping Cart Interface (SCI). SCI - is a programmatic interface that allows any Merchant to automatically accept payments online.
SCI is a must have interface for any online store or other business that conducts transactions online.

Who needs this information

This document is intended for web masters and developers working with businesses that wish to accept and process payment data online.

Developers are required to have experience in the following:

• basic knowledge of HTML
• ability to work with HTML forms
• processing of SCI server replies

In addition, experience of working with HASH techniques is preferred.

Terminology

Title	Definition
Merchant	Liberty Reserve account holder that accepts payments into his account via SCI, usually for products or services offered at his online store.
Buyer	Liberty Reserve account holder that purchases products or services from Merchant. Buyer is redirected to SCI web site to perform his payment.

Basic information about SCI

SCI is a part of Liberty Reserve system that allows to transmit a payment from Buyer's to Merchant's account. It is located on a separate web site that is utilized for processing payments for products or services offered by the Merchant.
SCI and Merchant's web site utilize HTML forms to transmit information between each other, which allows the Buyer to complete transfer and the Merchant to receive and properly process received payment.
Merchant's web site must contain at least three HTML pages to successfully accept payments:

• payment page that redirects Buyer to SCI web site to complete payment for products or services
• payment successful page to inform the Buyer that his payment is completed successfully
• payment failed page to inform the Buyer that his payment has failed

How SCI works

To accept online payment, Merchant's web site should redirect the Buyer to SCI web site to perform the payment for products or services ordered on the Merchant's web site. Once the payment is successfully complete, the Buyer will be redirected back to Merchant's web site.
Complete process of accepting payments via SCI contains the following steps (graph 1):

• Buyer selects a product or a service from an online store and decides to purchase it. Merchant displays the total amount of purchase and Buyer, in turn, proceeds to pay for his order by clicking an appropriate button or link. At this time, Merchant's web site redirects the Buyer to the Liberty Reserve SCI and sends payment request form.
• Next, Buyer appears on SCI authentication web page. Buyer will have to enter his Liberty Reserve account number, Login PIN and password. At this time, Buyer will also have an opportunity to cancel the payment. In this case, Buyer will be forwarded back Merchant's web site to payment failed page (step 8).
• If authentication process is successful, then Buyer will proceed to SCI payment page. On this page, he will have an opportunity to enter amount of payment, select currency and, in some cases, destination account number. At this stage, Buyer will have an option to cancel payment and as before, will be redirected to Merchant's web site to see the payment failed page (Step 8).
• Payment confirmation process. Buyer is shown complete payment details so that he can verify all payment details. Buyer has an option to edit details of this payment by clicking Edit, or confirm this payment by clicking Confirm. Once Buyer confirms the payment, SCI system will attempt to transfer funds from Buyer's to Merchant's account.
• As soon as the payment is finalized, SCI will transmit payment status form to the Merchant's web site. Buyer, meanwhile, will not be redirected back to Merchant's web site, as this data will be transmitted in the background using POST or GET request via HTTP to payment confirmation page or module or will be sent via e-mail.
• Payment result page. If payment is successful, the user will see complete transaction details, including transfer id. Once user clicks Continue button, they are moving on to step 7.
  If payment was not successful, then Buyer receives any applicable error information and by clicking Continue button, moves on to step 8.
  
• Payment successful page. This page is located at the Merchant's web site and informs Buyer that his payment has been accepted.
• Payment failed page. This page is located on Merchant's web site and informs Buyer that his payment has failed.

Preparation

Liberty Reserve SCI works in one of two modes:

• Simple mode. Merchant's account can accept incoming payments without creating and using store entry. It is no need for Merchant to create any store entry in its account. This mode is simplest to use SCI but less secure because in this case Merchant can't verify data received from SCI server (see Verification of SCI server's data).
• Advanced mode. Merchant's account accepts incoming payments via account store entry. Merchant should create and prepare at least one store entry in its account. This mode is more secure because in this case Merchant can verify data received from SCI server (see Verification of SCI server's data).

As a Merchant, if you want to use SCI advanced mode you will need to perform the following steps before you can start working with SCI on your web site:

1. You need to create SCI store entry in your Liberty Reserve account. The proper way to do it is to login to your Liberty Reserve account and select "Manage Stores" option in Merchant Tools. Click on "Create" button to create a new store. Your SCI will not work properly if you do not follow these steps.
2. Setup your store for proper work with Liberty Reserve SCI. You will need to specify the following:
   • Store name. This is the name of your store that SCI will use when transmitting payment request form
   • Security word. This parameter is used by authentication system when SCI transfers data to Merchant's web site
   • Success URL. This is the URL address where the Buyer will be redirected by SCI upon successful payment execution. Usually, this page will notify the Buyer that payment has been processed successfully. URL can contain query string parameters, e.g. "http://www.merchant.com/success.php?a=b".
     You may omit this parameter and/or specify it in payment details form
   • Success URL HTTP method. As a method of redirect to Merchant's success page, Merchant can use of the following:
     • POST — payment success form are redirected to Merchant's success page via HTTP POST request
     • GET — payment success form are redirected to Merchant's success page via HTTP GET request
     • LINK — SCI performs simple redirect to Merchant's success page via HTTP LINK request without payment success form data transmit
   • Fail URL. This is the URL address of a web page that the Buyer will be redirected to by SCI, when he cancels his payment or when his payment has failed. Usually, this page informs the Buyer that payment has not been completed or has been canceled. URL can contain query string parameters, e.g. "http://www.merchant.com/fail.php?a=b".
     You may omit this parameter and/or specify it in payment details form
   • Fail URL HTTP method. As a method of redirect to Merchant's fail page, Merchant can use of the following:
     • POST — payment fail form are redirected to Merchant's fail page via HTTP POST request
     • GET — payment fail form are redirected to Merchant's fail page via HTTP GET request
     • LINK — SCI performs simple redirect to Merchant's fail page via HTTP LINK request without payment fail form data transmit
   • Status URL. As a status URL, Merchant can use of the following:
     • This is the web page address on Merchant's server, where SCI sends payment status form. This form is transmitted in the background while Buyer is on SCI web site. URL can contain query string parameters, e.g. "http://www.merchant.com/status.php?a=b".
     • This is an e-mail address of Merchant, where SCI sends data of payment status form in an e-mail body. This e-mail is sent in the background while Buyer is on SCI web site.
     This parameter is optional. You may, however, need to specify this parameter if you intend to process payment information further and record it in the database.
     This parameter can also be specified in payment details form
   • Status URL HTTP method. As a method of data transmit, Merchant can use of the following:
     • POST — payment status form data are transmitted via HTTP POST request
     • GET — payment status form data are transmitted via HTTP GET request
     This parameter is ignored if Status URL is set to e-mail address.

Merchant may create up to 10 stores in his Liberty Reserve account.

Accepting and processing payments

SCI overview

Basic principals of interaction between Merchant's web site and SCI web site includes the following steps:

• Redirecting of Buyer from Merchant's web page to SCI web page and transmittal of payment request form
• Receiving of data of payment successful form and its analysis, if necessary
• Receiving of data of payment fail form and its analysis, if necessary
• Receiving and processing of payment confirmation form

You need to redirect the Buyer to Liberty Reserve's SCI web site (and send payment request form) at the following URL address:

https://sci.libertyreserve.com/

Payment Request Form

HTML form for payment request is generated by Merchant's web site and is used to transmit data to Liberty Reserve SCI. This form represents a set of hidden fields that contain information necessary to complete transfer through SCI.
Table below lists all acceptable fields for HTML form to properly interact with SCI.

HTML form field	Format	Description	Examples
lr_acc	Text string in a form of Unnnnnnn or Xnnnnnnn up to 8 characters in length, where nnnnnnn is an account number	Merchant's account number	U123456 X567
lr_acc_from	Text string in a form of Unnnnnnn or Xnnnnnnn up to 8 characters in length, where nnnnnnn is an account number	Buyer's account number. This field is optional, but if it exists the Buyer will not be able to make a payment from any other account.	U98765
lr_store	Text field, up to 50 characters in length (varchar(50))	Name of the Merchant's store. This field is optional. If omitted, SCI will work in simple mode.	My Store
lr_amnt	Fraction with up to 4 digits in denominator, comma (.) as a separator (.)	Amount to be transferred to Merchant's account. This field is optional, but if it exists the Buyer will not be able to change payment amount.	123.40 3.1234
lr_currency	Currency. Specified via one of the following: LRUSD (Liberty Reserve, USD) LREUR (Liberty Reserve, EUR)	Currency type preferred. This field is optional, and if omitted will default to LRUSD.	LRUSD
lr_comments	String of text, up to 100 characters long (varchar(100))	Memo, that Merchant may want to include along with payment. This field is optional. If this field is specified Buyer can not edit any information in it, but can add his own comments.	payment for mp3 player
lr_merchant_ref	String of text, up to 20 characters long (varchar(20))	Additional identifying factor that can be set by the Merchant. This information is stored in the Liberty Reserve transaction database. This field is optional.	HGF44556756
lr_success_url	String of text, up to 100 characters long (varchar(100))	URL address of payment successful page at the Merchant's web site. This field is not required. Also it can be specified in SCI store settings in your account. If omitted and SCI works in simple mode, SCI server will return Buyer to Merchant's checkout page.	http://www.merchant.com/success.html
lr_success_url_method	Success URL redirect HTTP method. Specified via one of the following: GET POST LINK	Payment successful page redirect HTTP method. This field is not required. It can be specified in SCI store settings in your account.	GET LINK
lr_fail_url	String of text, up to 100 characters long (varchar(100))	URL address of payment failed page at the Merchant's web site. This field is not required. Also it can be specified in SCI store settings in your account. If omitted and SCI works in simple mode, SCI server will return Buyer to Merchant's checkout page.	http://www.merchant.com/fail.html
lr_fail_url_method	Fail URL redirect HTTP method. Specified via one of the following: GET POST LINK	Payment failed page redirect HTTP method. This field is not required. It can be specified in SCI store settings in your account.	GET LINK
lr_status_url	String of text, up to 100 characters long (varchar(100))	One of the following:   a) URL address of payment status page at the Merchant's web site. In this case URL value must be prefixed by "https:" or "http:".   b) E-mail address to send a successful payment notification via e-mail. E-mail body contains data of payment status form. In this case URL value must be prefixed by "mailto:". This field is not required. It can be specified in SCI store settings in your account. If omitted and SCI works in simple mode, SCI server will not perform status request.	http://www.merchant.com/status.aspx mailto:mymail@domain.com
lr_status_url_method	Status data transmit HTTP method. Specified via one of the following: GET POST	Payment status form data transmit HTTP method. This field is not required. It can be specified in SCI store settings in your account.	POST get
Baggage fields	Up to 10 text strings, with 50 characters maximum each (varchar(50))	Baggage fields are set by the Merchant. These fields are not processed by SCI, but are included in all payment forms that SCI sends to the Merchant's web site. Baggage fields allow Merchant to attach more information to the transfer. Invoice number, product code, Buyer's account at Merchant's web site are all good examples of information that may be specified in additional fields. Only first 50 characters of each field will be displayed.	123456789 INV# GT789

Baggage field that has name or value "submit" is ignored by SCI.

Example

We will use the following parameters and settings for the examples listed below:

• SCI mode set to advanced mode
• Merchant's web site address - www.merchant.com
• Merchant's Liberty Reserve account number U123456
• Merchant has created a store called "MyStore" in his Liberty Reserve SCI settings, with the following settings:
  • Security Word - MySecWord123
  • Success URL of Merchant's web site - www.merchant.com/success.html
  • Fail URL of Merchant's web site - www.merchant.com/fail.html
• Payments will originate from Buyer's Liberty Reserve account, number U789

<!--Fragment of HTML page with the payment request form-->

....

<form method="GET" action="https://sci.libertyreserve.com">
  <input type="hidden" name="lr_acc" value="U123456">
  <input type="hidden" name="lr_store" value="MyStore">
  <input type="hidden" name="lr_amnt" value="12.34">
  <input type="hidden" name="lr_currency" value="LRUSD">
  <input type="hidden" name="lr_comments" value="payment for mp3 player">
  <!-- baggage fields -->
  <input type="hidden" name="track_id" value="166337678784">
  <input type="hidden" name="order_id" value="O7993547">
</form>

....

Payment Successful Form

HTML-form, that SCI generates and forwards to be displayed at Merchant's payment successful page (Success URL). This form contains a set of hidden fields that contain information about completed payment.
Please find the field descriptions in the table listed below.

HTML form field	Format	Description	Examples
lr_paidto	Text string in a form of Unnnnnnn or Xnnnnnnn up to 8 characters in length, where nnnnnnn is an account number	Merchant's Liberty Reserve account number.	U123456 X567
lr_paidby	Text string in a form of Unnnnnnn or Xnnnnnnn up to 8 characters in length, where nnnnnnn is an account number	Buyer's Liberty Reserve account number.	U567
lr_amnt	Fraction with up to 4 digits in denominator, comma (.) as a separator (.)	Payment amount.	123.40 3.1234
lr_fee_amnt	Fraction with up to 4 digits in denominator, comma (.) as a separator (.)	Commission that was deducted by Liberty Reserve system from the Merchant's account when payment was received.	0.5
lr_currency	Currency. Line accepts one of the following parameters: LRUSD (Liberty Reserve, USD) LREUR (Liberty Reserve, EUR)	Currency in which the payment was processed.	LRUSD
lr_transfer	Long number (64-bit integer)	Unique Liberty Reserve transaction number.	1234567890 9994456683762355345868
lr_store	Text string, up to 50 characters in length (varchar(50))	Name of the Merchant's store. If SCI works in simple mode this parameter is not included in the form.	My Store
lr_timestamp	Date, in YYYY-DD-MM HH:mm:SS format	Date of transaction (UTC).	2007-25-03 10:45:55 2005-01-02 01:01:30
lr_merchant_ref	Text string, up to 20 characters in length (varchar(20))	Additional identifying factor that is set by the Merchant. This information is stored in the Liberty Reserve transaction database.	HGF44556756
Baggage fields	Up to 10 text strings, with 50 characters maximum each (varchar(50))	Baggage fields, if any, specified by the Merchant.	123456789 INV# GT789

Examples

Below, you will find the fragment of sample form generated by Liberty Reserve SCI and transmitted to payment successful page on the Merchant's web site:

<!--Payment successful HTML form-->

....

<form method="GET" action="http://www.merchant.com/success.html">
  <input type="hidden" name="lr_paidto" value="U123456">
  <input type="hidden" name="lr_paidby" value="U789">
  <input type="hidden" name="lr_amnt" value="12.34">
  <input type="hidden" name="lr_fee_amnt" value="0">
  <input type="hidden" name="lr_currency" value="LRUSD">
  <input type="hidden" name="lr_transfer" value="4456778335534">
  <input type="hidden" name="lr_store" value="MyStore">
  <input type="hidden" name="lr_timestamp" value="2007-25-03 10:45:55">
  <!-- baggage fields set by the Merchant -->
  <input type="hidden" name="track_id" value="166337678784">
  <input type="hidden" name="order_id" value="O7993547">
</form>

....

Payment Failed Form

This is an HTML form that SCI transmits to the Merchant's web site (Fail URL), in case of a failed payment. This form represents a set of hidden fields that contain key payment information that was expected to be received by the Merchant.
Field definitions are listed below:

HTML form field	Format	Description	Examples
lr_paidto	Text string in a form of Unnnnnnn or Xnnnnnnn up to 8 characters in length, where nnnnnnn is an account number	Merchant's account number.	U123456 X567
lr_amnt	Fraction with up to 4 digits in denominator, comma (.) as a separator. (.)	Payment amount.	123.40 3.1234
lr_currency	Line accepts of the following parameters: LRUSD (Liberty Reserve, USD) LREUR (Liberty Reserve, EUR)	Payment currency.	LRUSD
lr_store	Text string, up to 50 characters in length (varchar(50))	Name of the Merchant's store. If SCI works in simple mode this parameter is not included in the form.	My Store
lr_merchant_ref	text string, up to 20 characters in length (varchar(20))	Additional identifying factor that can be set by the Merchant.	HGF44556756
Baggage fields	Up to 10 text strings, with 50 characters in length each (varchar(50))	Baggage fields that are set by the Merchant in payment request form.	123456789 INV# GT789

Example

Here is an example of a form, generated by Liberty Reserve SCI and transmitted to Merchant's web site to payment failed page.

<!--Payment failed HTML form-->

....

<form method="GET" action="http://www.merchant.com/fail.html">
  <input type="hidden" name="lr_paidto" value="U123456">
  <input type="hidden" name="lr_amnt" value="12.34">
  <input type="hidden" name="lr_currency" value="LRUSD">
  <input type="hidden" name="lr_store" value="MyStore">
  <input type="hidden" name="lr_merchant_ref" value="HGF44556756">
  <!-- baggage fields, set by the Merchant -->
  <input type="hidden" name="track_id" value="166337678784">
  <input type="hidden" name="order_id" value="O7993547">
</form>

....

Payment Status Form

This is an HTML form that SCI transmits to the Merchant's payment confirmation page or module (Status URL). This form represents a set of hidden fields that contain key information about completed payment.
Form fields and structure are identical to payment successful form but contains two additional fields.
These fields definitions are described below:

HTML form field	Format	Description	Examples
lr_encrypted	String	HASH string compiled from information contained in this form and security word. This parameter is very helpful in verification of information received from SCI server (more information here: Verification of SCI server's data). If SCI works in simple mode this parameter is not included in the form.
lr_encrypted2	String	Extended HASH string compiled from information contained in this form and security word. This parameter is most helpful in verification of information received from SCI server (more information here: Verification of SCI server's data). If SCI works in simple mode this parameter is not included in the form.

Example

This is an example of payment status form generated by Liberty Reserve SCI and transmitted to the Merchant's payment status page or module.

<!--Payment status HTML form-->

....

<form method="POST" action="http://www.merchant.com/status.aspx">
  <input type="hidden" name="lr_paidto" value="U123456">
  <input type="hidden" name="lr_paidby" value="U789">
  <input type="hidden" name="lr_amnt" value="12.34">
  <input type="hidden" name="lr_fee_amnt" value="0">
  <input type="hidden" name="lr_currency" value="LRUSD">
  <input type="hidden" name="lr_transfer" value="4456778335534">
  <input type="hidden" name="lr_store" value="MyStore">
  <input type="hidden" name="lr_timestamp" value="2007-25-03 10:45:55">
  <input type="hidden" name="lr_merchant_ref" value="HGF44556756">
  <input type="hidden" name="lr_encrypted" value="E71A1EE0A1396EDB03FD24BE88C129CFE3DFFC8A05188084FB853305978080FB">
  <input type="hidden" name="lr_encrypted2" value="6EB328563CD9876C79723843CC3924916D8D947ED3B3ACD3265246E82E441132">
  <!-- baggage fields, that are set by the Merchant -->
  <input type="hidden" name="track_id" value="166337678784">
  <input type="hidden" name="order_id" value="O7993547">
</form>

....

Simple example of HTML pages for accepting payments

This is a set sample HTML pages for the Merchant's web site to accept payments via SCI. We will use the same user data that was used in examples before.
Please note, that this example does not contain any verification or processing of data received from SCI, therefore, it can only give you the basic idea behind full functioning payment processing system.
In order to accept payments, Merchant will need to create three 3 HTML pages:

• Payment page that forwards the Buyer to Liberty Reserve SCI and sends payment request form
• Payment successful page
• Payment failed page

Creation of payment page

Lets assume that Merchant has created payment.html page where buyers start payment process. Here is an idea of what simple HTML code would look like:

<!--Payment HTML page-->

<html>
<head>
  <title>Make Payment</title>
</head>
<body>
<p>Get 20 mp3s for only $!</p>
<form method="GET" action="https://sci.libertyreserve.com">
  <input type="hidden" name="lr_acc" value="U123456">
  <input type="hidden" name="lr_store" value="MyStore">
  <input type="hidden" name="lr_amnt" value="10">
  <input type="hidden" name="lr_currency" value="LRUSD">
  <input type="hidden" name="lr_comments" value="Payment for 20 mp3s">
  <!-- baggage field -->
  <input type="hidden" name="order_id" value="O7993547">
  <input type="submit" name="i_submit" value="Pay!">
</form>
</body>
</html>

Creation of payment successful page

Lets assume that Merchant has created success.html as his payment successful page. Here is an idea of what simple HTML code would look like:

<!--Payment successful HTML page-->

<html>
<head>
  <title>Payment Accepted</title>
</head>
<body>
<p>We have received your payment. Your business is appreciated!</p>
</body>
</html>

Creation of payment failed page

Lets assume that Merchant has created fail.html as his payment failed page. Here is an idea of what simple HTML code would look like:

<!--Payment failed HTML page-->

<html>
<head>
  <title>Payment was not received.</title>
</head>
<body>
<p>Payment has failed.</p>
</body>
</html>

Verification of SCI server's data

Merchant's web site receives data forms from SCI server. To verify data received in Success Form and Status Form, those forms include special hidden fields lr_encrypted and lr_encrypted2, that contain HASH strings concatenated from the form parameters.

Verification via lr_encrypted

lr_encrypted field contains HASH string concatenated from the following parameters:

• Merchant's account (lr_paidto)
• Buyer's account (lr_paidby)
• Merchant's store name (lr_store)
• Payment amount (lr_amnt)
• Transaction ID (lr_transfer)
• Payment currency (lr_currency)
• Store's security word

SCI server's data verification is available only in advanced mode.

To verify data you will need to perform the following:

1. By concatenating information you will receive a string that looks like: lr_paidto:lr_paidby:lr_store:lr_amnt:lr_transfer:lr_currency:secret word. You will need to use form data contained in hidden fields and security word to successfully complete this step.
2. You then will need to HASH this string via SHA256
3. Compare the received HASH string with the string contained in hidden field lr_encrypted. Both strings should be identical. If they are not, you CAN NOT TRUST any information received from server

Let's study the example of creating the HASH string with the following data contained in hidden fields:

• lr_paidto = U123456
• lr_paidby = U789
• lr_store = MyStore
• lr_amnt = 12.34
• lr_transfer = 4456778335534
• lr_currency = LRUSD

For this example, we will use the following security word: MySecWord123.

Concatenation of data: U123456:U789:MyStore:12.34:4456778335534:LRUSD:MySecWord123

HASH SHA256 from compiled data: E71A1EE0A1396EDB03FD24BE88C129CFE3DFFC8A05188084FB853305978080FB

Verification via lr_encrypted2

lr_encrypted2 field provides more secure way to verify server's data. This field contains HASH string concatenated from the following parameters:

• Merchant's account (lr_paidto)
• Buyer's account (lr_paidby)
• Merchant's store name (lr_store)
• Payment amount (lr_amnt)
• Transaction ID (lr_transfer)
• Merchant reference (lr_merchant_ref)
• Baggage fields (represented as a semicolon-separated string that consists of pairs baggage_field_name=baggage_field_value)
• Payment currency (lr_currency)
• Store's security word

SCI server's data verification is available only in advanced mode.

To verify data you will need to perform the following:

1. By concatenating information from your baggage fields you will receive a string that looks like: baggage_field1_name=baggage_field1_value;baggage_field2_name=baggage_field2_value;...;baggage_fieldN_name=baggage_fieldN_value. If you do not use baggage fields you will receive an empty string.
2. By concatenating information you will receive a string that looks like: lr_paidto:lr_paidby:lr_store:lr_amnt:lr_transfer:lr_merchant_ref:concatenated baggage fields:lr_currency:secret word. You will need to use form data contained in hidden fields and security word to successfully complete this step.
3. You then will need to HASH this string via SHA256
4. Compare the received HASH string with the string contained in hidden field lr_encrypted2. Both strings should be identical. If they are not, you CAN NOT TRUST any information received from server

Let's study the example of creating the HASH string with the following data contained in hidden fields:

• lr_paidto = U123456
• lr_paidby = U789
• lr_store = MyStore
• lr_amnt = 12.34
• lr_transfer = 4456778335534
• lr_merchant_ref = HGF44556756
• Baggage fields:
  • track_id = 166337678784
  • order_id = O7993547
• lr_currency = LRUSD

For this example, we will use the following security word: MySecWord123.

Concatenation of baggage fields: track_id=166337678784;order_id=O7993547

Concatenation of data: U123456:U789:MyStore:12.34:4456778335534:HGF44556756:track_id=166337678784;order_id=O7993547:LRUSD:MySecWord123

HASH SHA256 from compiled data: 6EB328563CD9876C79723843CC3924916D8D947ED3B3ACD3265246E82E441132

Security considerations

To avoid compromises in security and to minimize the threat of malicious users, we recommend the following:

• Security Word in store must not contain any easy to guess data or be the same as account password.
• You must not transfer, share or expose passwords, security words, and other authentication data that only you can know to a third party or in the open.
• It is highly recommended not to store any authentication data such as, passwords, security words, etc. in source codes. This information must be kept in a separate, secured file or database.
• Verification of data received from SCI server is the only acceptable way to analyze and process payment information.
• You must make sure that all received SCI information is actually coming from Liberty Reserve server.
• In all cases, if possible, you can not rely only on data received from SCI, because it can be faked or mimicked by a malicious user. If you wish to be 100% sure that all information about payment is correct you are encouraged to use the XML API functions.

Change log

Date	Subject	Description
09-04-2007	Payment request form / Store entry	Status form data transmit via e-mail available.
09-06-2007	Payment request form / Store entry	Success URL/Fail URL/Status URL HTTP methods added.
09-11-2007	General SCI functionality	Simple mode added to accept payments without store entry.
09-13-2007	Payment request form	lr_amnt, lr_success_url, lr_fail_url are no longer required form fields.
09-13-2007	Payment successful form	lr_encrypted field has been excluded from the form.
09-13-2007	Store entry	Merchant can't create more than 10 Store entries
11-22-2007	Verification of SCI server's data	New HASH field lr_encrypted2 has been added to Payment Status Form.