All,
We have selected to use "accept.js with UI" option for sending payments to authorize.net.
Therefore, we're using the payment button with attributes that configure the built-in payment form.
<button type="button"
class="AcceptUI"
data-billingAddressOptions='{"show":true, "required":false}'
data-apiLoginID="YOUR API LOGIN ID"
data-clientKey="YOUR PUBLIC CLIENT KEY"
data-acceptUIFormBtnTxt="Submit"
data-acceptUIFormHeaderTxt="Card Information"
data-responseHandler="responseHandler">Pay
</button>
My security concern with this solution is that anyone logged-in to our site can view the api Login ID/Client secret key by just right click and view source option in the browser.
Isn't that a security concern? Would that not affect PCI Compliance regulations?
Yes, you have to be signed in (ie you have to know the user's user name/password) but in worst case scenario, if some hacker obtains login credentials for any of the users of the site he can in reality compromise our merchant account with authorize.net by getting the api login ID/client key.
How much damage can a hacker do if he knows our api login ID/client key?
Should we be concerned about this?
As a possible solution:
I tried to delay populate the "data-apiLoginID/data-clientKey" attributes on the payment button when the user clicks the payment button to bring up the payment form but at that point it is too late, it did not work,- when you submitted the form it was stuck at loading screen.
It would be beneficial and more secure in my opinion if we could use JS to populate "data-apiLoginID/data-clientKey" attributes before brining up the payment form. This way these fields could not be viewed using HTML source view.
