Search

OUR API

API Developer Guides API Reference Sample Code [on GitHub]
SDKs [on GitHub] API Change Log System Change Log
Upgrade Guide

Hello World

Get Started Common Setup Questions How Payments Work
Testing Guide Go-Live Checklist

Support

Get Support News and Announcements Forums
Authorize.Net on GitHub Authorize.Net on Stack Overflow Developer Blog
Response (Error) Codes FAQs Knowledge Base

Sign In

Sandbox Affiliate

Search Developer Site

Integration and Testing

Authorize.Net API questions and help with your payment integration.

Reply
Highlighted
Member
rcast34209
Posts: 3
Registered: ‎04-11-2013

Zipcode alteration - SIM Method

‎04-11-2013 09:03 AM

I've built a shopping cart and shipping calculator on my client site that gets rates and sales tax based on the zip code the user enters while checking out (before the authorize.net secure payment page). When the user finalizes entering his zip code, selecting a shipping service, then he is allowed to checkout (go to authorize.net payment page). I'm using the SIM method and the problem I've discovered is, if the user decides to enter a different shipping address and zip code on the authorize.net payment page then what he originally entered on my clients site to calculate the shipping and tax rates, then there could be a big shipping cost and tax difference between what the user is paying and what it actually costs. How do I go about combatting this? Is there a way to lock in the zip code entered on my clients site, on the authorize.net payment page, and disable the HTML text field? How would I do this? This is a big security hole.

Message 1 of 6 (78,202 Views)
Reply
0 Kudos
Highlighted
Expert
RaynorC1emen7
Posts: 4,525
Registered: ‎03-08-2010

Re: Zipcode alteration - SIM Method

‎04-11-2013 12:34 PM

You can turn it off on the authorize.net payment page.

Login to merchant account, account settings, form fields, turn it shipping info off.

Message 2 of 6 (78,181 Views)
Reply
0 Kudos
Highlighted
Member
rcast34209
Posts: 3
Registered: ‎04-11-2013

Re: Zipcode alteration - SIM Method

‎04-11-2013 06:07 PM

To reduce liability and save money, i opted for the SIM method and no SSL certificate. Because of this, I do not collect any personal information from my clients site. So the only information the client site accepts is the zip code (and this tallies the shipping rate for the cart and the taxes) - I pass these off to the authorize.net payment page, so I cannot disable the shipping info because I have never collected it yet. The only thing I'm passing is a itemized list of the items in and prices. Is there a way to pass the zip code and lock it in? If not, should I collect shipping info from customer even though I do not have SSL certificate?

Message 3 of 6 (78,169 Views)
Reply
0 Kudos
Highlighted
Expert
RaynorC1emen7
Posts: 4,525
Registered: ‎03-08-2010

Re: Zipcode alteration - SIM Method

‎04-11-2013 06:28 PM

Is there a way to pass the zip code and lock it in? Yes and no. you could pass the zip in as a hidden fieids and make it not display on authorize.net payment form. But anyone with some html knowlege can go in a modify it on the form that post to authorize.net

 

You can collect shipping info without SSL, as long as no CC info.

Message 4 of 6 (78,166 Views)
Reply
0 Kudos
Highlighted
Member
rcast34209
Posts: 3
Registered: ‎04-11-2013

Re: Zipcode alteration - SIM Method

‎04-12-2013 06:56 AM

Alright I'll take it from here, thanks!

Message 5 of 6 (78,159 Views)
Reply
0 Kudos
Highlighted
TJPride
Posts: 1,609
Topics: 15
Kudos: 201
Solutions: 121
Registered: ‎06-23-2011

Re: Zipcode alteration - SIM Method

‎04-12-2013 11:50 PM

If you use DPM, where the form is still on your server (but posting to Authorize.net directly, so the credit card data never passes through your server...) then you can use Javascript validation to check the zip code onsubmit() and see if it matches what they put in on your cart. If it doesn't, you can disable the submit and pop up a message saying that they need to go back and change the value in the cart. It's worth the cost of the SSL certificate to save you the hours it wil take to deal with this otherwise.

Message 6 of 6 (78,120 Views)
Reply
0 Kudos