cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Zipcode alteration - SIM Method

I've built a shopping cart and shipping calculator on my client site that gets rates and sales tax based on the zip code the user enters while checking out (before the authorize.net secure payment page). When the user finalizes entering his zip code, selecting a shipping service, then he is allowed to checkout (go to authorize.net payment page). I'm using the SIM method and the problem I've discovered is, if the user decides to enter a different shipping address and zip code on the authorize.net payment page then what he originally entered on my clients site to calculate the shipping and tax rates, then there could be a big shipping cost and tax difference between what the user is paying and what it actually costs. How do I go about combatting this? Is there a way to lock in the zip code entered on my clients site, on the authorize.net payment page, and disable the HTML text field? How would I do this? This is a big security hole.

rcast34209
Member
6 REPLIES 6

You can turn it off on the authorize.net payment page.

Login to merchant account, account settings, form fields, turn it shipping info off.

RaynorC1emen7
Expert

To reduce liability and save money, i opted for the SIM method and no SSL certificate. Because of this, I do not collect any personal information from my clients site. So the only information the client site accepts is the zip code (and this tallies the shipping rate for the cart and the taxes) - I pass these off to the authorize.net payment page, so I cannot disable the shipping info because I have never collected it yet. The only thing I'm passing is a itemized list of the items in and prices. Is there a way to pass the zip code and lock it in? If not, should I collect shipping info from customer even though I do not have SSL certificate?

Is there a way to pass the zip code and lock it in? Yes and no. you could pass the zip in as a hidden fieids and make it not display on authorize.net payment form. But anyone with some html knowlege can go in a modify it on the form that post to authorize.net

 

You can collect shipping info without SSL, as long as no CC info.

Alright I'll take it from here, thanks!

If you use DPM, where the form is still on your server (but posting to Authorize.net directly, so the credit card data never passes through your server...) then you can use Javascript validation to check the zip code onsubmit() and see if it matches what they put in on your cart. If it doesn't, you can disable the submit and pop up a message saying that they need to go back and change the value in the cart. It's worth the cost of the SSL certificate to save you the hours it wil take to deal with this otherwise.

The MD5 Hash is not calculated otherwise when the x_type=void as you can see this tool. The quantity used while generating the MD5 hash cost in our device for voided transactions is zero.00.

ales567
Member