All geek questions in one place

What kind of damage could be done using the login and transaction API of the payment gateway gateway API?

I am currently in the process of hiring a web developer who will work on a site that processes credit cards. Although it will not have credentials to enter the payment gateway user interface, it will have access to the login key and transaction API, as it is embedded in the application code.

I would like to know all the what-if scenarios related to the type of damage that could be done with this information. Obviously, it can process credit cards, but the money goes to the bank account of the site owner, so I'm not sure how much damage it can cause. Can anyone think of any other possible scenarios?

UPDATE: used payment gateway - Authorize.net.

+3
source share
9 answers

Do they really need access to your production sites?

Do not store the key in your code, do not store it in your production database or in a file on the production server.

+5
source

Some good answers here, I’ll just add that you are likely to have problems with PCI.
PCI-DSS specifically dictates the separation of duties, isolation of production environments from dev / test, protection of encryption keys from everyone who does not require this, and much more. As @Matthew Watson said, rethink this and not provide production access to developers.

, API , , " "? ...

+3

, , , , . ( , CCV, , .)

API "$ 1,00" ( "$ X.XX" ), , (, , , "" "", ")? , , , .

+1

, , API IP IP- . , (?) , , , , .

- , .

+1

? , .

+1

? - ?

, , . , ?

+1

, , . , , .

, /, , . .

0

, , . ( , ), , , / , . - , . , .

, ( , ) , , , /.

, API . , - -.

.

PS: - , - authorize.net , , .

0

Authorize.Net , Authorize.Net , . , . , - API , . - .

, , . 24 .

0

Source: https://habr.com/ru/post/1697855/

More articles:


All Articles