Hi all
I'm looking into using Accept Hosted for a client — to use Customer & Payment Profile IDs for monthly dynamic charges.
I want to better understand the security risks involved. (I've got the tech chops to build the site*, it's the security I'm concerned about)
What's the worst that could happen if someone were to get the Login ID & Transaction Key?
It seems to me they'd be limited to creating charges/refunds only between my client and their customers - but an auth.net phone rep said they could use them to get the Gateway ID, and then change my client's connected bank acct to one they have access to.
*FWIW: I've got the page, with an iFrame, working (in Sandbox) to add a Payment Profile to an existing Customer Profile.
(Please don't reply for me to just keep the ID & Key secure
TIA,
-Joel
11-15-2023 12:41 PM - edited 11-15-2023 12:44 PM
There are hosted payment forms that require two of the values in the web browser form. So they are not kept secret.
There must be way to prevent those parts of the credentials from becoming a complete set, for unauthorized access.
11-16-2023 11:35 PM
Thanks @marine2026 . I'm aware that the values need to be kept private, however I'm asking — in the case of some horrible breach, etc. — what would someone be able to do if they were to acquire the Login ID & Transaction Key.
Anybody?
TIA,
-Joel
11-17-2023 09:06 AM
Joel,
Please forgive me for being tedious.
Yesterday I implemented our online web user payment for with a Client Public Transaction Key that was created in the Merchant Account. That key can be re-created as needed and is paired with the Merchant Name/API Login ID value.
It is the Merchant Transaction Key that should be kept private, but if exposed, can also be re-created.
I don't know the answer to your question, and I have not researched it on this site. It would be very good to know that answer.
David
11-21-2023 08:32 AM
<bump>
Any other thoughts from anyone?
(I'm thinking especially if someone got direct access to the web server and could change the PHP to simply output the keys…?)
TIA,
-Joel
11-27-2023 11:51 AM
If someone were to obtain the Login ID and Transaction Key for Authorize.Net, the risks include unauthorized transactions, potential access to sensitive customer information, manipulation of payment settings, and damage to your client's reputation. To mitigate these risks, prioritize secure communication (HTTPS), implement tokenization for sensitive data, conduct regular security audits, enforce strict access controls, and store information securely. Consult with cybersecurity experts and Authorize.Net for guidance on best practices.
12-08-2023 09:00 AM
Thanks so much, @AlyKhan Yes, we'll be using HTTPS, keeping the keys off of the web server, etc. My biggest concern has been if someone were to gain access to the web server itself and then modify the PHP to output the keys (as text). I guess one big issue is whether I can trust the web hosting co. …
12-08-2023 02:28 PM