Reply
Highlighted
Member
Posts: 7
Registered: ‎11-20-2013
Accepted Solution

Is x_login necessary for DPM?

The Developer Guide states that x_login is a required field for DPM, which I makes sense from a technical standpoint.  But to me it seems insecure.  A similar question was asked about AIM.  But for that method, x_login doesn't have to be sent to the client browser.  But for DPM, x_login must be sent to the client as that is where the POST occurs.

 

Hence, the client knows the value, which could be readily obtained.  True, the code could be obfuscated, but at the end of the day, a form post is needed with x_login being in the plain.

 

It seems that the Direct Post Method is effectively publishing a value that the Guide states "must be stored securely."

 

Am I missing something or not understanding this correctly?

 

 


Accepted Solutions
Highlighted
Solution
Accepted by topic author Steven
‎08-21-2015 01:58 AM
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Is x_login necessary for DPM?

Without worry about PCI on a shared hosting. It about the same between DPM vs AIM. loginID is just the loginID, it is useless without the transactionKey.

View solution in original post


All Replies
Highlighted
Member
Posts: 7
Registered: ‎11-20-2013

Re: Is x_login necessary for DPM?

A quick clarification.  Regarding "x_login being in the plain", I was referring to the DOM context.  An attacker could enter bogus but well formed data and then debug into the client session to find x_login's value.

Highlighted
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Is x_login necessary for DPM?

Yes it is required. else authorize.net won't know who send them the DPM request.

Just make sure transactionKey is not getting post.

Highlighted
Member
Posts: 7
Registered: ‎11-20-2013

Re: Is x_login necessary for DPM?

Thank you, and yes that makes sense.  But let me rephrase my question.

 

Which would be more secure?

  DPM (where the API Login ID is not secure)

       OR

  AIM wherein the credit card info is not persisted.

 

1) If the merchant server is compromised, DPM really doesn't help as the credit card info could be stolen anyway.

2) My understanding of PCI is that persisting the credit data is key criteria, in-flight use does seem to matter so DPM is no simpler than AIM without persistence with respects to PCI.  (And as 1) is true, I don't know why 2) wouldn't be true as well).

 

In brief, I am struggling to see any compelling reason to use DPM as AIM provides a more robust user experience without giving away the API Login ID.

 

 

 

 

 

 

Highlighted
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Is x_login necessary for DPM?

[ Edited ]

1)Is the same for both DPM and AIM.

2)The only different is the CC info go thru your server with AIM, while DPM is thru Authorize.net server. So it is somewhat less PCI if you don't save the CC info.

Highlighted
Member
Posts: 7
Registered: ‎11-20-2013

Re: Is x_login necessary for DPM?

Thanks again.  But I'm just a little quesy about x_login being made public via DPM.

 

This is probably a hard question, but PCI aside, if on a shared hosting plan, from a pure security standpoint, which would be safer?

  A) DPM that gives out x_login

  B) AIM that doesn't persistance of credit card info (though with CC info going to server...)

Highlighted
Solution
Accepted by topic author Steven
‎08-21-2015 01:58 AM
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Is x_login necessary for DPM?

Without worry about PCI on a shared hosting. It about the same between DPM vs AIM. loginID is just the loginID, it is useless without the transactionKey.