托管支付网关和隐藏字段篡改
我正在尝试为我的雇主寻找电子商务解决方案,我们有必要使用托管支付页面来最大程度地减少 PCI 合规问题。研究了几家公司的解决方案后,似乎他们都希望你通过隐藏字段或GET变量向他们提交交易总价,以便生成付款表单。对于商家来说,这似乎是一个相当大的问题,因为具有 Firebug(或眼睛,在 GET 变量的情况下)的用户可以轻松修改交易总额,获取新的托管支付表单,并继续结账,从而给自己带来任何好处他们想要的折扣。
有人之前设置过托管支付页面并处理过这个问题吗?对于更好的做事方式有什么建议吗?
I am in the midst of trying to find an e-commerce solution for my employer, and it is necessary that we go with a hosted payment page to minimize our PCI compliance woes. After researching several companies' solutions, it seems that they all expect you to submit the total price of the transaction to them via a hidden field or GET variables in order to generate the payment form. This seems like a sizable concern for the merchant, since a user with Firebug (or eyes, in the case of GET variables) could easily modify the transaction total, get a new hosted payment form, and continue with the checkout, thus giving themselves whatever discount they desire.
Has anyone set up a hosted payment page before and dealt with this issue? Any suggestions for a better way to do things?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
通常,这些表单会提交一个哈希值,这些表单是用用户不知道的秘密值(例如密码、交易密钥等)生成的。因此,如果他们篡改金额(也用于计算哈希值),那么支付网关将拒绝交易。用户无法通过更改哈希来绕过此问题,因为他们没有计算哈希所需的所有信息。
因此,使用这些托管表单是安全的,不会被滥用。如果不是,它们就不是可行的产品,网关也无法提供它们使用。
There usually is a hash submitted with those forms that are generated with secret values that the user won't know (e.g. password, transaction key, etc). So if they tamper with the amount, which is also used in calculating the hash's value, then the payment gateway will reject the transaction. The user cannot bypass this by changing the hash because they do not have all of the information required to calculate it.
So using these hosted forms are safe from abuse. If they weren't they wouldn't be viable products and the gateways couldn't offer them for use.