- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accept Hosted - What could someone do if they got Login ID & Transaction Key?
Hi all
I'm looking into using Accept Hosted for a client โ to use Customer & Payment Profile IDs for monthly dynamic charges.
I want to better understand the security risks involved. (I've got the tech chops to build the site*, it's the security I'm concerned about)
What's the worst that could happen if someone were to get the Login ID & Transaction Key?
It seems to me they'd be limited to creating charges/refunds only between my client and their customers - but an auth.net phone rep said they could use them to get the Gateway ID, and then change my client's connected bank acct to one they have access to.
*FWIW: I've got the page, with an iFrame, working (in Sandbox) to add a Payment Profile to an existing Customer Profile.
(Please don't reply for me to just keep the ID & Key secure
TIA,
-Joel
โ11-15-2023 12:41 PM - edited โ11-15-2023 12:44 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are hosted payment forms that require two of the values in the web browser form. So they are not kept secret.
There must be way to prevent those parts of the credentials from becoming a complete set, for unauthorized access.
โ11-16-2023 11:35 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @marine2026 . I'm aware that the values need to be kept private, however I'm asking โ in the case of some horrible breach, etc. โ what would someone be able to do if they were to acquire the Login ID & Transaction Key.
Anybody?
TIA,
-Joel
โ11-17-2023 09:06 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Joel,
Please forgive me for being tedious.
Yesterday I implemented our online web user payment for with a Client Public Transaction Key that was created in the Merchant Account. That key can be re-created as needed and is paired with the Merchant Name/API Login ID value.
It is the Merchant Transaction Key that should be kept private, but if exposed, can also be re-created.
I don't know the answer to your question, and I have not researched it on this site. It would be very good to know that answer.
David
โ11-21-2023 08:32 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<bump>
Any other thoughts from anyone?
(I'm thinking especially if someone got direct access to the web server and could change the PHP to simply output the keysโฆ?)
TIA,
-Joel
โ11-27-2023 11:51 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If someone were to obtain the Login ID and Transaction Key for Authorize.Net, the risks include unauthorized transactions, potential access to sensitive customer information, manipulation of payment settings, and damage to your client's reputation. To mitigate these risks, prioritize secure communication (HTTPS), implement tokenization for sensitive data, conduct regular security audits, enforce strict access controls, and store information securely. Consult with cybersecurity experts and Authorize.Net for guidance on best practices.
โ12-08-2023 09:00 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much, @AlyKhan Yes, we'll be using HTTPS, keeping the keys off of the web server, etc. My biggest concern has been if someone were to gain access to the web server itself and then modify the PHP to output the keys (as text). I guess one big issue is whether I can trust the web hosting co. โฆ
โ12-08-2023 02:28 PM