Hosting Payment Page - Security

Hi everyone,

I am new to Moneris and try to develop the payment page in my website, using hosting payment page.

In Hosting Solution configuration page, it says:

"Both the 'ps_store_id' and 'hpp_key' are to be kept secure, though if security were to be compromised, you may generate a new 'hpp_key' without having to create a completely new configuration."

However as per the posted sample for Hosted Paypage Credit Card Purchase, the value of 'ps_store_id' and 'hpp_key' needs to be defined as hidden inputs in html page. These hidden inputs can be easily discovered by using the "view source" in the browsers (like internet explorer or google chrome).

Am I missing something? Is there any way to make the parameters secure or hidden to be discovered?

Thanks,

MB_Moneris
- 1
- 22 Aug 2017 3:18 PM
The credentials will in fact be visible by viewing source, it is one of the unfortunate parts of the form post method used to send data to our host. You could use the data preload option or hosted tokenization options to keep the data more secure.
- Cancel
armdoernet
- 0
- 22 Aug 2017 10:18 PM
In reply to MB_Moneris:
Thanks a lot MB-Moneris. However, can we define recurring billing by using preload or hosted tokenization? I only found sections that explained one-time billings using these options. Anywhere that explained about recurring?

Thanks and Regards,
mikeroelens
- 0
- 22 Aug 2017 10:46 PM
In reply to MB_Moneris:

I also share the same security concern as armdoernet. I guess the important question to me is what can an attacker accomplish if they get our "ps_store_id" and/or "hpp_key" values?

Also, if my understanding of Data Preload is correct, the "ps_store_id" is still accessible to attackers. The "hpp_id" required by the "Ticketed" Hosted Payment Page form POST call is really just the "ps_store_id".
- Cancel
MB_Moneris
- 0
- 23 Aug 2017 11:06 AM
In reply to mikeroelens:
The only thing someone can do with your credentials (ps_store_id/hpp_key) is to send a purchase transaction on your behalf. We have seen some fraudsters grab those and run a script to process card testing. The best tactic to prevent this is the data preload option, which does not expose your credentials since the first post is not visible to cardholder/browser.
MB_Moneris
- 0
- 23 Aug 2017 3:27 PM
In reply to armdoernet:
You can use the hosted tokenization and process a purchase with recurring using the API as a follow-on. I'll need to look into the pre-load with recurring details. It may be possible, even though it is not documented.
Sebastien
- 0
- 8 Dec 2017 12:42 PM
Can you please provide the documentation on how to implement the pre-load option for hosted tokenization?
Thanks
MB_Moneris
- 0
- 8 Dec 2017 1:01 PM
In reply to Sebastien:
There is no pre-load option for hosted tokenization.
Sebastien
- 0
- 8 Dec 2017 6:19 PM
In reply to MB_Moneris:
In a previous reply, you mentioned the data preload option. Can you please point me to it ?

Thanks
MB_Moneris
- 0
- 11 Dec 2017 10:27 AM
In reply to Sebastien:

The preload option only exists for hosted paypage, not hosted tokenization. You can find the documentation for the hosted paypage preload option at the following link.

http://developer.moneris.com/Documentation/NA/E-Commerce%20Solutions/Hosted%20Solutions/Hosted%20Payment%20Page

click on the "Hosted Paypage Process Flow with Data Preload" link.