I finally managed to figure out what to do to migrate a Perl shopping cart to SagePay version 3.0. I went down a ton of blind alleys and this was an excellent article but I had problems installing Crypt::Cipher::AES. The solution I found that works avoiding a bunch of SagePay Gotchas is:

use Crypt::CBC;

# The Sagepay test login is at:
# https://test.sagepay.com/mysagepay 
# Login using your administrator username and password. If
# you don't know what they are contact SagePay support and
# they will send a reset link to the registered email 
# address of the administrator. After you login you 
# will see Encryption Password: <16 character long string>

my $id = <16 char long Encryption Password>; # e.g. AbcdeFghiJkLmNoP
my $iv = $id;

my $cipher = Crypt::CBC->new(
        -key         => $id,
        -iv          => $iv,
        -cipher      => 'OpenSSL::AES',
        -literal_key => 1,
        -header      => "none",
        -padding     => "standard",
        -keysize     => 16
                             );
$crypt = uc $cipher->encrypt_hex($crypt);
$crypt  = "@".$crypt;
[download]

$crypt is what you submit via your shopping cart CGI form to SagePay. For the test environment the URL to submit your form to is:

https://test.sagepay.com/gateway/service/vspform-register.vsp

To go live you need the live Encryption Password. Its not the same as the test Encryption Password. You can ask SagePay support where to find this.

For the live environment the URL to submit your form to is:

https://live.sagepay.com/gateway/service/vspform-register.vsp

I hope this helps someone else avoid spending ages working through this like I did.