MD5 Encryption Worldpay Issue

We've had an issue with someone pushing through an order for an £1000 gift voucher, paying via Worldpay and submitting a £0.01 payment. So (as confirmed talking to Worldpay tech support) someone has clearly manually hacked and intercepted the payment info between checkout + Worldpay.

Worldpay tech have told us we've been unlucky, it's uncommon that this happens. However, that we need to enable MD5 encryption to stop it happening again, but that we can't do so via Opencart. The advice was "ring Opencart and ask them if they intend to support it" or change to another shopping cart!!

Ridiculous.

Anyway, I can't find much around this issue via Google and I haven't utilised Worldpay before with Opencart, but as my client has already signed up with them we need to make this work. I've found a plugin sold by http://www.sellxed.com/ and having spoke to them they do apparently support the MD5 encryption....but it's £140, which hasn't gone down well with my client and it perhaps seems a bit heavyweight as a plugin for what we want to achieve...

Is there not an easier way around this - i.e. to enable MD5 Encryption from within Opencart, given Worldpay is as default included with an Opencart install? We are using version 1.5.6.4?

I would really appreciate any assistance or pointers on this.

Many thanks

Don't mean to hijack your post, but having exactly the same problem here. We've had several orders over the last few days that have been pushed through WordPay as £0.01. Spoke to WorldPay and they advised we enable the MD5 Encryption, which it looks like we can't do in OpenCart.

Seems crazy that such a simple security feature isn't implemented by default.

Obviously someone out there has figured that OpenCart is not a particularly secure setup, so I would imagine this is likely to happen more and more - not a great advert for the OpenCart package, and will only help to drive people away - even WorldPay themselves are advising a switch to different software.

Here's hoping that the Devs act on this as it's likely to be a real show stopper for a lot of people.

[OpenCart 1.5.6.4]

OK,

Figured this out. There's no way to do it via the admin screens, but a simple edit to a Worldpay template file adds in the MD5 encryption.

Firstly, login to your Worldpay account and on the Installation Administration screen you'll see a couple of options that need configuring. Towards the bottom of the screen you'll see options for MD5 secret for transactions and SignatureFields. Create a password for the MD5 secret (think it needs to be minimum of 22 characters), and in the SignatureFields, enter a colon delimited list of the particular fields you want to protect, such as: instId:amount:currency

Now edit the worldpay.tpl file from your OpenCart theme. It's in the template/payment folder, and add something like the following to the top:
Basically you're creating a string containing a colon delimited list of your secret key plus the values of the fields you specified in the SignatureFields option in Worldpay. You're then creating an MD5 hash from that string.

Now, in the HTML for the form, add in this (make sure it's inside the form tags!):
That's it. You should now have the MD5 encryption enabled and it'll prevent the data tampering.

Many thanks for this code - I thought it might be helpful to let you know and anyone else who has been ripped off that it works.

Only just seen the replies.

A belated thanks for the code share ChrisStanyon!

We ended up leaving WorldPay in the end and sticking with PayPal as the customer service at WorldPay was appauling.