Banklink (Pangalink) php usage

This article was published in Russian on my blog Now, I decided to translate it to English and publish here.
This tutorial was written, due to the reason that there was no much information about Banklink (Pangalink) in Russian and English. So, here the document, how to set up BankLink connection, what it is in general and what are the specifics.

1. What is that?
In Baltic states, number of online shops is growing pretty fast and logical question appears: how to pay money?
There are lot of variants how to do it, each has own pluses and minuses:
а) Payment on delivery. Not the most convenient variant. You should deal with cash. It is possible that client will refuse to buy the product, when it is already delivered. This variant worked in Latvia about 10 years ago, I bought in shops this way.
б) Payment, using credit card. Not everybody has such credit cards. Credit card fraud lowers number of credit card paying clients.
в) Payment via PayPal system. It is also not that convenient and takes time and money for transferring funds from Paypal.
г) Payment via local bank, through the system of bank authorization. And it is that exact BankLink. There are also disadvantages: circle of clients is limited by clients of the banks, with which the agreement will be signed.
Ideally, you should provide as many as possible payment methods for your online shop.

2. Algorithm of work.
Internet shop Client inputs proper sum of money on the site of the Seller.
Seller offers payment via BankLink of the bank, which is more suitable for the Client.
Client selects proper bank and data about payment is sent to the bank.
Bank offers to authorize him/her-self and submit the payment.
After payment acceptance, bank returns a response to the site of the Seller.

3. Source Code.
All required scripts for work I took from here. Huge respect and thanks to Mihkel-Mikelis Putrinsh for the work he did.
3.1 The form of sending data to bank.
All data is sent by POST method through secure HTTPS page. Here is the page, from which we send data to the bank.

3.2. The form of getting data from the bank.
All data is got from bank by POST method through HTTPS access. Let’s look on our page vk_return.php.

4. Security.
Security is one of the most important parts of all this process. How does it work?
4.1 Seller send data to bank.
In #3.1 we sent variable VK_MAC. It is generated in the following way:
Value of the function МАС008 is counted by the following algorithm of public key RSA. Length of blank fields is also taken in consideration – «000».
MAC008(x1,x2,…,xn) := RSA( SHA-1(p(x1 )|| x1|| p(x2 )|| x2 || … ||p( xn )||xn),d,n)

|| – is an action on string addition
x1, x2, …, xn – are parameters of the request
p – function of parameter’s length.
d – hidden exponent of RSA
n – RSA module

Signature counting is made according with standard PKCS1 (RFC 2437).
It is an extract from SwedBank site.
In our case it looks as following:
There are lot of methods how to get a signature. One can be seen in this script. I will describe another further.

Created signature is send along with other data to Bank. during signing the agreement, Seller sent public key to Bank. Band will recognize correctness of your signature using this key.

4.2 In #3.2 we verified correctness of Bank’s signature. Bank issues it’s public key for this purpose.
Let’s see an example, how it works.

5. Here you are.
These are all specifics, I wanted to tell you.
No animal was harmed in the process of investigation of the functionality.
I used information from the following sites:
HansaPank – technical description.
SEB EESTI Ühispank – technical description.
Sampo Pank – bank link.
Mihkel-Mikelis Putrinsh scripts.