We've received tens of thousands of $0 card authorization declines in the last couple of weeks. We've identified that someone is exploiting the Accept Customer Hosted Form (https://developer.authorize.net/api/reference/features/customer_profiles.html) which we're embedding in an iFrame on our application. Since card authorization happens when entering credit card data, it allows a malicious user to repeatedly test credit card data.
In order to combat this, we've set hostedProfileValidationMode=testMode. Is this the best solution, or is there another solution for having hostedProfileValidationMode=liveMode while still protecting against these kind of brute-force attacks?
Here are the settings we were using for the Accept Customer Hosted Form:
- hostedProfileManageOptions=showPayment
- hostedProfilePageBorderVisible=false
- hostedProfileCardCodeRequired=true
- hostedProfileBillingAddressRequired=true
- hostedProfilePaymentOptions=showCreditCard
- hostedProfileValidationMode=liveMode
