11-20-2013 06:39 AM
The Developer Guide states that x_login is a required field for DPM, which I makes sense from a technical standpoint. But to me it seems insecure. A similar question was asked about AIM. But for that method, x_login doesn't have to be sent to the client browser. But for DPM, x_login must be sent to the client as that is where the POST occurs.
Hence, the client knows the value, which could be readily obtained. True, the code could be obfuscated, but at the end of the day, a form post is needed with x_login being in the plain.
It seems that the Direct Post Method is effectively publishing a value that the Guide states "must be stored securely."
Am I missing something or not understanding this correctly?
Solved! Go to Solution.
11-20-2013 06:57 AM
A quick clarification. Regarding "x_login being in the plain", I was referring to the DOM context. An attacker could enter bogus but well formed data and then debug into the client session to find x_login's value.
11-20-2013 11:41 AM
Thank you, and yes that makes sense. But let me rephrase my question.
Which would be more secure?
DPM (where the API Login ID is not secure)
AIM wherein the credit card info is not persisted.
1) If the merchant server is compromised, DPM really doesn't help as the credit card info could be stolen anyway.
2) My understanding of PCI is that persisting the credit data is key criteria, in-flight use does seem to matter so DPM is no simpler than AIM without persistence with respects to PCI. (And as 1) is true, I don't know why 2) wouldn't be true as well).
In brief, I am struggling to see any compelling reason to use DPM as AIM provides a more robust user experience without giving away the API Login ID.
11-20-2013 01:05 PM - edited 11-20-2013 01:05 PM
1)Is the same for both DPM and AIM.
2)The only different is the CC info go thru your server with AIM, while DPM is thru Authorize.net server. So it is somewhat less PCI if you don't save the CC info.
11-20-2013 03:50 PM
Thanks again. But I'm just a little quesy about x_login being made public via DPM.
This is probably a hard question, but PCI aside, if on a shared hosting plan, from a pure security standpoint, which would be safer?
A) DPM that gives out x_login
B) AIM that doesn't persistance of credit card info (though with CC info going to server...)