I'm looking into using Accept Hosted for a client — to use Customer & Payment Profile IDs for monthly dynamic charges.
I want to better understand the security risks involved. (I've got the tech chops to build the site*, it's the security I'm concerned about)
What's the worst that could happen if someone were to get the Login ID & Transaction Key?
It seems to me they'd be limited to creating charges/refunds only between my client and their customers - but an auth.net phone rep said they could use them to get the Gateway ID, and then change my client's connected bank acct to one they have access to.
*FWIW: I've got the page, with an iFrame, working (in Sandbox) to add a Payment Profile to an existing Customer Profile.
(Please don't reply for me to just keep the ID & Key secure
There are hosted payment forms that require two of the values in the web browser form. So they are not kept secret.
There must be way to prevent those parts of the credentials from becoming a complete set, for unauthorized access.
Thanks @marine2026 . I'm aware that the values need to be kept private, however I'm asking — in the case of some horrible breach, etc. — what would someone be able to do if they were to acquire the Login ID & Transaction Key.
Please forgive me for being tedious.
Yesterday I implemented our online web user payment for with a Client Public Transaction Key that was created in the Merchant Account. That key can be re-created as needed and is paired with the Merchant Name/API Login ID value.
It is the Merchant Transaction Key that should be kept private, but if exposed, can also be re-created.
I don't know the answer to your question, and I have not researched it on this site. It would be very good to know that answer.