7. Return variables

Detailed below are the possible variables returned to the receiver as the response to a PDT request or as part of an ITN from PayFast.


Transaction details

m_payment_idUnique payment ID on the merchant’s system. recommended
pf_payment_idUnique transaction ID on PayFast. required
payment_statusThe status of the payment. required
item_nameThe name of the item being charged for. required100 char
item_descriptionThe description of the item being charged for. recommended255 char
amount_grossThe total amount which the payer paid. required
amount_feeThe total in fees which was deducated from the amount. required
amount_netThe net amount credited to the receiver’s account. required
custom_str1..5The series of 5 custom string variables (custom_str1, custom_str2…) originally passed by the receiver during the payment request. optional255 char
custom_int1..5The series of 5 custom integer variables (custom_int1, custom_int2…) originally passed by the receiver during the payment request. optional


Buyer details

name_firstThe buyer’s first name. recommended100 char
name_lastThe buyer’s last name. recommended100 char
email_addressThe buyer’s email address recommended100 char


Merchant details

merchant_idThe Merchant ID as given by the PayFast system. Used to uniquely identify the receiver’s account. required


Recurring billing details

tokenUnique ID on PayFast that represents the subscription required36 char

Should the buyer / subscriber cancel a subscription; an ITN call may be made. In this case, the payment_status field may return an additional status value.

payment_statusAfter a successful payment the status sent will be COMPLETE.
When a subscription is cancelled the status will be CANCELLED.


Security information

signatureA security signature of the transmitted data taking the form of an MD5 hash of the submitted variables. The string from which the hash is created, is the concatenation of the name value pairs of all the non-blank variables with ‘&’ used as a separator eg. “name_first=John&name_last=Doe&email_address=…” where pairs are listed in the order in which they appear on this page. This hash will be regenerated by the PayFast engine and the values compared to ensure the integrity of the data transfer. recommended32 char


If the ITN callback method has been used, part of the security checking stage is confirming the received data’s signature, the following is a sample of generating the signature to compare.

If you have a passphrase set on your account “Settings” page, it will need to be added to the string used to generate the signature. The passphrase is never published or given out. It serves as an extra security measure to ensure that all information is accurate and has not been tampered with.

$pfData = $_POST;
// Construct variables 
foreach( $pfData as $key => $val )
    $data[$key] = stripslashes( $val );
if( isset( $passPhrase ) )
    $pfData['passphrase'] = $passPhrase;
foreach( $pfData as $key => $val )
    if( $key != 'signature' )
        $pfParamString .= $key .'='. urlencode( $val ) .'&';
// Remove the last '&' from the parameter string
$pfParamString = substr( $pfParamString, 0, -1 );
$signature = md5( $pfParamString );
   die('Invalid Signature');