What is the absolute minimum we need to do?

Write one scripted web page that produces a form post to transfer the shopping basket back to @UK PLC.  We recommend that after your checkout you have a page that says


Return your order for Authorisation
(this sends the form post back to @UK)


Pay here now


It is a simple form post with all the fields to transfer the shopping basket.  There are quite a lot of fields and these are secured with a checksum and a hmac to stop tampering and confirm that the page can from you.

Where is the spec?

See Downloads or click here to get the latest version. You need to put in a valid email address when you register as the password will be sent to you by email.  This means that we can let you know if we release any updates to the specification and know what version you received.  It also sets you up with a BizCard Website on @UK PLC so that you have an ID for testing.

How long is the spec?

Do not panic. It is not 500 pages!  It is an html file approximately 5 pages long.

What is a complete implementation?

3 scripted webpages:

1. To accept the startSession command

2. To send the transfer or checkout command with the basket

3. To accept an amendBasket command.

Optionally you can have a 4th page to accept a confirmed purchase order.  This is a server to server communication so there are a lot more options and a lot of other protocols can be used.

Is there a tool kit?

There is a tool kit for dot Net and ASP.  But, we have not yet implemented tool kits for jsp, php or perl. If you are implementing on these platforms we would be interested in licencing back your implementation to provide others. The only tricky part is the sha1 checksum algorithm and the hmac-shal1-96 algorithm, and we have links to libraries that implement these algorithms in most languages in the documentation.

Are there examples?

There are a series of scenarios that you can go through and if you view source you can see the full details of the form posts, all implemented in sbXp.  The source code for the scenarios are part of the tool kit.

What are the likely problems after implementation?

1. The most common mistake is getting sender and receiver id’s mixed up.

When @UK PLC sends the customer to you, @UK PLC is the sender.  A third party e.g. a school is the buyer and you are the receiver.

When you send the basket back you are the sender, @UK PLC is the receiver and the third party is still the buyer.

This is something that the tool kit can not help with since you tell it who to send to and it tells you who it received from.

2. HMAC/SHA1 Algorithms

You need to strip out any non ASCII characters (over 127) and then convert to ASCII before creating the checksum or mac.  Why? Because even something as simple as the £ sign does not interoperate in windows between dotNet and asp.  Never mind interoperating with EBCDIC or UNIX.

The tool kit handles this and lets you know whether or not a message is valid and, if it is invalid, why it is invalid.

How does it work?

One site generates out an html page with a form post.  This goes to the customers browser.  The customer clicks on the form post, and the post message gets sent to the receiving webserver. It is the same as any other webpage where the customer enters information.  The only difference is that the form post fields are hidden so that the page is cleaner. Please see Process Diagrams for more details.


Click here to go to the OrderXchange website

OrderXchange toolkit

Order the OrderXchange toolkit


SiteLink allows your company to securely trade on a 24/7 basis at negigible cost.

Find out more about Site Link