Allowing Accept.JS Public Client Key operations with Authorized API IP Address Filtering enabled
My company's SAAS application is using the Accept.JS library to send credit card numbers from the end users's browser to Authorize.Net directly. The application then retrieves the nonce, stores it, and uses that for future payment transactions from our servers.
Everything works well unless IP filtering is enabled (Fraud Detection Suite > Authorized API IP Addresses). One of our clients has enabled IP filtering as a layer of security, adding the IP addresses of our production servers. When this is enabled, however, the Accept.JS call to create the nonce fails with an E00118 error (The transaction was submitted from a blocked IP address).
On one hand, this makes sense, of course. On the other hand, creating a nonce isn't a risky operation, and it isn't possible to add every potential IP address a customer would be assigned.
Proposed solution: We feel that operations authenticated using the public client key, such as creating a payment nonce, should be excluded from IP Filtering. Alternatively, a separate set of IP filtering rules could apply to public client key authenticated operations.
Potential workarounds: - Disable IP Filtering (the client is opposed to this) - Pass the credit card numbers to the server and submit them server-side (the development team is opposed to this) - ???
This application scenario seems pretty standard, so perhaps someone reading this has another solution or workaround. If so, please let me know.