Using the PGP Signature to Authenticate Transactions

This function assumes that you are familiar with CGI scripting.

Related Links: Passback Function | Lookup Function | Return Mode Function | Return Address | Recurring Postback

Read the RESTRICTIONS below before using this function. As always, test your forms before making them live.

One of the security features built into the transaction system is the use of a PGP signature. Each transaction confirmation is sent to the merchant's return address (ret_addr), signed with a PGP signature. This is a bullet-proof security feature that gives a merchant the knowledge that the transaction confirmation was sent by the processing server.

You will need a PGP application installed on your server that supports dynamic verification of an RSA signature. Follow this link for information about using PGP with Windows, Unix, Macintosh, Perl, Java, C++, etc.: The International PGP Home Page (See the Products Page)

You may obtain the Publc Key by scrolling to the bottom of this page.


  • Transactions are only signed when either the PASSBACK or LOOKUP FUNCTION is used.
  • As with any other dynamic web page, your ret_addr (return address) must be a CGI script or some other application, such as CFM or ASP that is capable of parsing the name/value pairs that are passed, including the signature.
  • For security reasons, you should ALWAYS pass a unique variable to the system using the Passback Function. This will cause the signature to have a unique value for each transaction.


In this example, the following field values are used:

  • The ret_addr field is set to ""
  • The LOOKUP variables requested are email and phone
  • The PASSBACK variables are fieldname1 and ordernum

This is the string that is passed to the return address. (You may need to scroll right to see the entire URL.)