Hi everyone,
I am new to Moneris and try to develop the payment page in my website, using hosting payment page.
In Hosting Solution configuration page, it says:
"Both the 'ps_store_id' and 'hpp_key' are to be kept secure, though if security were to be compromised, you may generate a new 'hpp_key' without having to create a completely new configuration."
However as per the posted sample for Hosted Paypage Credit Card Purchase, the value of 'ps_store_id' and 'hpp_key' needs to be defined as hidden inputs in html page. These hidden inputs can be easily discovered by using the "view source" in the browsers (like internet explorer or google chrome).
Am I missing something? Is there any way to make the parameters secure or hidden to be discovered?
Thanks,
In reply to MB_Moneris:
I also share the same security concern as armdoernet. I guess the important question to me is what can an attacker accomplish if they get our "ps_store_id" and/or "hpp_key" values?
Also, if my understanding of Data Preload is correct, the "ps_store_id" is still accessible to attackers. The "hpp_id" required by the "Ticketed" Hosted Payment Page form POST call is really just the "ps_store_id".
In reply to mikeroelens:
In reply to armdoernet:
In reply to Sebastien:
The preload option only exists for hosted paypage, not hosted tokenization. You can find the documentation for the hosted paypage preload option at the following link.
http://developer.moneris.com/Documentation/NA/E-Commerce%20Solutions/Hosted%20Solutions/Hosted%20Payment%20Page
click on the "Hosted Paypage Process Flow with Data Preload" link.