Re: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAILURE

[David Frascone <dave () frascone com>]

It really depends on the application.  The cart I maintain gets the info
back from verisign via the post, *and* an e-mailed recript.  Also, we
routinely verify large orders at verisign directly.

I'll admit that it's a hole, I just don't think it's a very big one.


Just my $.02 worth,


Dave

On Friday, 04 Jan 2002, keith royster wrote:
> PAYFLOW LINK SERVICE DESCRIPTION: The final checkout page of various online 
> shopping cart applications presents the shopper with a form asking for credit 
> card acct#, exp date, etc.  When the shopper submits the form, the data is sent 
> directly to the vendor's PayFlow Link account at Verisign for validation.  If 
> the credit card information is validated, Verisign authorizes payment and 
> submits the data back to the vendors shopping cart application.  When the 
> vendor's shopping app receives this data, it assumes payment was authorized and 
> finalizes the order for the vendor to fill and ship it.