cancel
Showing results for 
Search instead for 
Did you mean: 

Accept Hosted - What could someone do if they got Login ID & Transaction Key?

Hi all

I'm looking into using Accept Hosted for a client — to use Customer & Payment Profile IDs for monthly dynamic charges.

I want to better understand the security risks involved. (I've got the tech chops to build the site*, it's the security I'm concerned about)

What's the worst that could happen if someone were to get the Login ID & Transaction Key?

It seems to me they'd be limited to creating charges/refunds only between my client and their customers - but an auth.net phone rep said they could use them to get the Gateway ID, and then change my client's connected bank acct to one they have access to.

*FWIW: I've got the page, with an iFrame, working (in Sandbox) to add a Payment Profile to an existing Customer Profile.

(Please don't reply for me to just keep the ID & Key secure

TIA,
-Joel

joel_54321
Member
6 REPLIES 6

There are hosted payment forms that require two of the values in the web browser form. So they are not kept secret.
There must be way to prevent those parts of the credentials from becoming a complete set, for unauthorized access.

marine2026
Trusted Contributor

Thanks @marine2026 . I'm aware that the values need to be kept private, however I'm asking — in the case of some horrible breach, etc. — what would someone be able to do if they were to acquire the Login ID & Transaction Key.

Anybody?

TIA,

-Joel

joel_54321
Member

Joel,

Please forgive me for being tedious.

Yesterday I implemented our online web user payment for with a Client Public Transaction Key that was created in the Merchant Account. That key can be re-created as needed and is paired with the Merchant Name/API Login ID value.

It is the Merchant Transaction Key that should be kept private, but if exposed, can also be re-created.

I don't know the answer to your question, and I have not researched it on this site. It would be very good to know that answer.

David

<bump>

Any other thoughts from anyone?

(I'm thinking especially if someone got direct access to the web server and could change the PHP to simply output the keys…?)

TIA,
-Joel

joel_54321
Member

If someone were to obtain the Login ID and Transaction Key for Authorize.Net, the risks include unauthorized transactions, potential access to sensitive customer information, manipulation of payment settings, and damage to your client's reputation. To mitigate these risks, prioritize secure communication (HTTPS), implement tokenization for sensitive data, conduct regular security audits, enforce strict access controls, and store information securely. Consult with cybersecurity experts and Authorize.Net for guidance on best practices.

AlyKhan
Member

Thanks so much, @AlyKhan  Yes, we'll be using HTTPS, keeping the keys off of the web server, etc. My biggest concern has been if someone were to gain access to the web server itself and then modify the PHP to output the keys (as text).  I guess one big issue is whether I can trust the web hosting co. …

joel_54321
Member