Showing results for 
Search instead for 
Did you mean: 

DPM mode relay response, any way to limit which fields are sent?

I am successfully testing auths using an test account with DPM method in PHP.


I have read the documentation pretty thoroughly, searched them and done some (google) searches but it seems that there is no way to limit the "x_" type fields that are returned via the relay response.


I would really like to pare the list down to just what I feel are the necessary few: x_response_code, x_response_reason_code, x_response_reason_text, x_MD5_Hash, and a few more. I see no reason to have the last four digits of the cc, card-holders names, card type, be returned as, though they aren't enough to do much damage on their own, might be useful for social engineering should someone get access to them.


Does anyone know If there's any way to do this? Thanks.




what are your concern? someone have access to your server? relay response url?


If someone has access to the relay response page, they also have access to your server, and they can just insert something into your checkout process to redirect the user to an infected site or AJAX the credit card values somewhere.


Basically, security stops or ends at your hosting account. Don't worry about the relay response page, worry about your password security. One infected PC and they're into your account and can do pretty much anything they want. That's why I do all my work on Macs.


It's more a case of the fact that Anet will send the response, with all those x_* fields filled to our server, unencrypted. Yes, of course the best answer would be to make sure the redirect URL is HTTPS but that may not be an option for us. In light of that, it would be good to limit what fields are returned. I mean, if we aren't using/examining those fields, there's no point in the data being sent over. I'm thinking MITM security risk but maybe I'm off-base in that regard.


Thanks for the replies so far.