Showing results for 
Search instead for 
Did you mean: 

Accept Customer Hosted Form Brute Force

We've received tens of thousands of $0 card authorization declines in the last couple of weeks. We've identified that someone is exploiting the Accept Customer Hosted Form ( which we're embedding in an iFrame on our application. Since card authorization happens when entering credit card data, it allows a malicious user to repeatedly test credit card data.


In order to combat this, we've set hostedProfileValidationMode=testMode. Is this the best solution, or is there another solution for having hostedProfileValidationMode=liveMode while still protecting against these kind of brute-force attacks?


Here are the settings we were using for the Accept Customer Hosted Form:


  • hostedProfileManageOptions=showPayment
  • hostedProfilePageBorderVisible=false
  • hostedProfileCardCodeRequired=true
  • hostedProfileBillingAddressRequired=true
  • hostedProfilePaymentOptions=showCreditCard
  • hostedProfileValidationMode=liveMode


I am facing the same issue.


I'm surprised that would offer a feature on their own hosted form which allows a malicious user to brute force credit card data without any kind of prevention, and the only solution is to disable that feature (hostedProfileValidationMode=testMode). I see that offers a "security code" feature on their checkout form to prevent this, but they haven't added anything simliar to the Accept Customer Hosted Form. If the Accept Customer Hosted Form is no longer a supported product they should announce it as deprecated so developers can make a more informed decision when developing a solution.


Is there anyone available from the team who can speak to this, as (from what I can see) this is an issue which will affect all customers who are using the hosted form.

Any update from the team?