Cybersource Developer Community Cybersource Developer Community

drummingsticks · ‎03-16-2022

Hello,

We are attempting to change the transaction process from the point a user clicks submit which then passes transaction data to our company server to retrieve API Login ID and Transaction ID and then the server calls Authorize.net API and waits for a response.

All of this is hidden for API Login ID and Transaction ID in this manner, however, the transaction data is posting to our server and we no longer want to do that. We would prefer to have the transaction data submit directly to the Authorize.net API, instead. In this scenario, how would we keep the API Login ID and Transaction ID from being exposed in the HTML?

I have been reading up on Accept.js, which would work fine except that Accept.js does not seem to allow track data from credit card swipes. Is there a solution for us to be able to allow credit card swipes to obtain track data and be passed via Accept.js? This would sold our problem, I believe. If not, then how would be able to hide sensitive API Login ID and Transaction Key information before all of the transaction form data is submitted to the Authorize.net API?

Thank you,
Ryan Hinton

mgagme · ‎03-21-2022

You should generate a client key to replace the transaction id. I did this this weekend using accept js.

mgagme · ‎03-21-2022

You could also use htaccess or http.conf and assign env variable setEnv API_KEY yourkey

drummingsticks · ‎03-23-2022

Thank you @mgagme for your feedback! If I may add more, in our case, we have multiple clients in which we store transaction keys and api login ids. Based on the client logged in, we get the id and key dynamically, but we are concerned about the amount of PCI forms we would have to fill out based on how we are going about sending the transaction data to our server as a http form post from the website, then we grab the key and api user id on the server side, and then we send the transaction from the server to Authorize.net. We are concerned that PCI is going to need more explanation because the transaction goes to our server before being sent to Authroize.net and we are looking for a way to avoid this scenario by trying to immediately post to Authorize.net from the website only. Also, the issue we came across with accept.js is that it does not accept track data. We allow card swiping which grabs the data for us to make a transaction on our website. With all of this in mind, we don't know how we would be able to parse track data with accept.js, because we would love to utilize it and we thought it was going to solve our issue for us. Thank you for any feedback!

mgagme · ‎03-23-2022

Wow that sounds really complicated. Without knowing anything really about your setup, have you considered using cookies and encrypting them? I am not that familiar with track data but did see that it is not available with acceptjs as you already discovered. Hope this helps. Maybe some webhook wizardry could help with some of this too...

WorthyBeaver · ‎03-24-2022

@mgagme wrote: Tellpizzahut
Wow that sounds really complicated. Without knowing anything really about your setup, have you considered using cookies and encrypting them? I am not that familiar with track data but did see that it is not available with acceptjs as you already discovered. Hope this helps. Maybe some webhook wizardry could help with some of this too...

We are concerned that PCI is going to need more explanation because the transaction goes to our server before being sent to Authroize.net and we are looking for a way to avoid this scenario by trying to immediately post to Authorize.net from the website only. Also, the issue we came across with accept.js is that it does not accept track data. We allow card swiping which grabs the data for us to make a transaction on our website.

Cybersource Developer Community Cybersource Developer Community

Can a Transaction Key be protected before submit to Authorize.net without a request to our server?