I have been made the server integration with sagepay ant on the TEST server, the VPSSignature from the post match with the MD5 constructed with the message and the other elements on the confirmation message. The problem is when I return to LIVE mode, the MD5 hash and the VPSSignature does not match any of the transactions,even they come with OK status.
I confirm my string with the documentation of sagepay:
MD5 signature of the concatenation of the values of: VPSTxId +
VendorTxCode + Status + TxAuthNo + VendorName+ AVSCV2 + SecurityKey +
AddressResult + PostCodeResult + CV2Result + GiftAid + 3DSecureStatus
+ CAVV + AddressStatus + PayerStatus + CardType + Last4Digits + DeclineCode + ExpiryDate + FraudResponse + BankAuthCode.NOTE: MD5 value is returned in UPPER CASE.
Please ensure the VendorName is LOWER CASE prior to hashing. Use urldecode to reverse the urlencoding you received from Sagepay If a field is returned without a value this should not be be checked against the string.
I saw SagePay Server Integration Verify Signature but they don't mention anything about test or live server of sagepay
The Sage Pay Server will send notification in the request part of a POST to the Notification URL provided in A1. The request will be URL encoded, with Name=Value fields separated by ‘&’ characters
I read this on Sage Pay Server Integration and Protocol and Guidelines 3.00 available here.
The problem was solved by checking any POST vars that comes from Sage Pay, in this case:
3DSecureStatus
CAVV
AVSCV2
CV2Result
Some of this vars wasn't captured and included in MD5 signature concatenation string.
Problem solved.