Reply
Highlighted
Member
Posts: 3
Registered: ‎04-11-2013

Zipcode alteration - SIM Method

I've built a shopping cart and shipping calculator on my client site that gets rates and sales tax based on the zip code the user enters while checking out (before the authorize.net secure payment page). When the user finalizes entering his zip code, selecting a shipping service, then he is allowed to checkout (go to authorize.net payment page). I'm using the SIM method and the problem I've discovered is, if the user decides to enter a different shipping address and zip code on the authorize.net payment page then what he originally entered on my clients site to calculate the shipping and tax rates, then there could be a big shipping cost and tax difference between what the user is paying and what it actually costs. How do I go about combatting this? Is there a way to lock in the zip code entered on my clients site, on the authorize.net payment page, and disable the HTML text field? How would I do this? This is a big security hole.

Highlighted
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Zipcode alteration - SIM Method

You can turn it off on the authorize.net payment page.

Login to merchant account, account settings, form fields, turn it shipping info off.

Highlighted
Member
Posts: 3
Registered: ‎04-11-2013

Re: Zipcode alteration - SIM Method

To reduce liability and save money, i opted for the SIM method and no SSL certificate. Because of this, I do not collect any personal information from my clients site. So the only information the client site accepts is the zip code (and this tallies the shipping rate for the cart and the taxes) - I pass these off to the authorize.net payment page, so I cannot disable the shipping info because I have never collected it yet. The only thing I'm passing is a itemized list of the items in and prices. Is there a way to pass the zip code and lock it in? If not, should I collect shipping info from customer even though I do not have SSL certificate?

Highlighted
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Zipcode alteration - SIM Method

Is there a way to pass the zip code and lock it in? Yes and no. you could pass the zip in as a hidden fieids and make it not display on authorize.net payment form. But anyone with some html knowlege can go in a modify it on the form that post to authorize.net

 

You can collect shipping info without SSL, as long as no CC info.

Highlighted
Member
Posts: 3
Registered: ‎04-11-2013

Re: Zipcode alteration - SIM Method

Alright I'll take it from here, thanks!

Highlighted
Posts: 1,609
Topics: 15
Kudos: 201
Solutions: 121
Registered: ‎06-23-2011

Re: Zipcode alteration - SIM Method

If you use DPM, where the form is still on your server (but posting to Authorize.net directly, so the credit card data never passes through your server...) then you can use Javascript validation to check the zip code onsubmit() and see if it matches what they put in on your cart. If it doesn't, you can disable the submit and pop up a message saying that they need to go back and change the value in the cart. It's worth the cost of the SSL certificate to save you the hours it wil take to deal with this otherwise.