We are updating our systems to increase the security of the Authorize.Net hosted payment form, receipt page and email receipts. As part of this change, support for HTML, JavaScript and CSS in these pages will be disabled effective immediately. This includes the use of links and hosted images. Plain text will still be supported.
While the changes we are implementing will not disrupt merchants’ ability to process transactions, it will impact the format of the information their customers will see on the payment form, receipt page and email receipts. The following information will be of use should any merchants contact you regarding this change.
There are two locations to check for HTML JavaScript or CSS, the Merchant Interface and the API configuration.
To check the Merchant Interface:
- Login to the Merchant Interface at https://account.authorize.net.
- Click on Account at the top right.
- Under Transaction Format Settings check the following:
- Payment Form
- Click on Header link to see any text saved.
- Click on Footer link to see any text saved.
- Receipt Page
- Click on Header link to see any text saved.
- Click on Footer link to see any text saved.
- Email Receipt
- See the Header and Footer options.
4. Remove any HTML, JavaScript or CSS and Save.
If there is no text in any of the fields listed above the API Integration should be examined. Specifically,
Payment Form
- x_header_html_payment_form
- x_header2_html_payment_form
- x_footer_html_payment_form
- x_footer2_html_payment_form
Receipt Page
- x_header_html_receipt
- x_header2_html_receipt
- x_footer_html_receipt
- x_footer2_html_receipt
E-mail Receipt
- x_header_email_receipt
- x_footer_email_receipt
It is possible to customize a merchant’s hosted payment form including the font, text color and background color using API calls or settings available in the Merchant Interface. Additional information on these customizations is available in the Server Integration Method implementation guide, page 43, at http://www.authorize.net/support/SIM_guide.pdf or in this Knowledge Base article: https://support.authorize.net/authkb/index?page=content&id=A539.
One important note regarding the changes described above. If the merchant is currently presenting a logo on the hosted payment form, receipt page or email receipts in the header or footer, that logo will no longer appear. In order to present a logo moving forward, you will need to send the logo URL via an API call using x_logo_url, e.g., x_logo_url=http://www.authorize.net/images/authorizenet_150_42.gif. Please note that this method will only allow for one logo to be displayed on both the payment form and receipt page.
Finally, please note that with this change, Simple Checkout will not support adding logos to the payment form or receipt page.
If you have questions about these required changes, please post them here and we will respond as quickly as possible.
