I posted a couple of weeks ago about this and we've just sorted out the 
solution.

It's an IIS box running PHP.

At the end of the process you post the cart variables to an exe file that 
creates an order hash to send to HSBC.

The exe outputs a new form to the browser with a load of variables and 
you have to press submit to get it to go to HSBC's server.

Because the HTML for this form is generated by the exe file there appears 
to be no way round bypassing this second form using PHP on an IIS box.

Luckily, I have a Spanish student working with me until the end of June 
to learn English and he's a C++ programmer.  He decompiled the Windows 
exe that HSBC provide, recoded it so that it puts all the form variables 
into a hidden field and sends them to HSBC without user intervention.

My fear was that HSBC would do some other check to make sure that their 
exe, which, after all, is part of a very secure process, hasn't been 
tampered with.  Anyway, he recompiled it and it now all works.

The upshot is that if you need to integrate a shopping cart with HSBC 
using PHP on an IIS server then e-mail me and I'll provide a new exe file 
for you.  At the moment, it's very much hard coded but we're going to get 
it to include a PHP file so that there will be a generic exe with a 
customisable PHP file (or any other file for that matter).  As I say, if 
by chance someone does come across the same problem then contact me and 
it might just save you a couple of weeks heartache.

-- 
Andy Jacobs