PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Authorize.net Security

  1. VFHwebdev
    Member

    I'd like some more information about the security of transactions taking place with the Authorize.net Gravity Forms plugin. I have my forms secured with a basic SSL certificate, but I'm not sure that's enough.

    When a purchaser enters credit card info into my form, are those credit card fields housed in an iframe and actually on an authorize.net server or are the fields actually residing in my form, on my web server?

    My (limited) understanding is that if the fields are housed within my form, on my web server, then an SSL cert isn't actually very secure.

    I'm finding few if any details about the security of the Authorize.net plugin. Where can I get this information?

    Posted 11 years ago on Tuesday July 9, 2013 | Permalink
  2. David Peralty

    The data on the form is secure as long as you are using a SSL cert and loading the page through HTTPS. Those fields are on your site, but a SSL connection stops outside parties from being able to read/intercept that data. It is sent through that secure/encrypted connection to Authorize.net where it is processed. It is not stored on your server/database.

    Posted 11 years ago on Tuesday July 9, 2013 | Permalink
  3. VFHwebdev
    Member

    Thanks. I'm being told by our organization's comptroller that an SSL set up like this is not secure by PCI compliance standards because the transactions can be intercepted and redirected via a "man in the middle" SSL attack (and other potential vulnerabilities). They're telling me that unless the credit card number fields are loaded via an iframe (and actually hosted on an authorize.net server) then basic SSL encryption isn't enough.

    They say the server itself has to be secured from other threats to meet the stringent PCI compliance standards.

    So I'm reassured that the credit card number isn't saved, but I don't think that tells me everything I need to know. Are the fields residing on my server or are they loaded remotely via an iframe?

    Posted 11 years ago on Tuesday July 9, 2013 | Permalink
  4. VFHwebdev
    Member

    Just re-read your reply and I think you answered my question. The fields do reside on my server, which unfortunately means I can't use this solution.

    I wish this functioned more like the PayPal plugin where the buyer is taken to the credit card processor's server for payment. Or that the credit card fields were pulled in remotely via an iframe from a secure location.

    Posted 11 years ago on Tuesday July 9, 2013 | Permalink
  5. David Peralty

    Sorry, but that's how Authorize.net works, and how all sites using that payment gateway work as far as I know.

    Posted 11 years ago on Tuesday July 9, 2013 | Permalink
  6. VFHwebdev
    Member

    Thanks David. I appreciate the prompt responses.

    Posted 11 years ago on Tuesday July 9, 2013 | Permalink
  7. David Peralty

    No problem. All my best!

    Posted 11 years ago on Tuesday July 9, 2013 | Permalink
  8. Naomi
    Member

    If you're looking for a solution that allows you to take credit cards directly on your site, but with none of the PCI-compliance issues because the credit card information never hits your servers, check out Stripe and the Gravity Forms Stripe Add-On I created.

    Posted 11 years ago on Wednesday July 10, 2013 | Permalink
  9. David Peralty

    Thanks Naomi, I forgot how the Stripe Add-on works. Does it work like Paypal, like Authorize.net or does it pull in the fields from Stripe? I think it works like our Authorize.net add-on, which means, for this customer, it might not be "secure enough".

    Posted 11 years ago on Wednesday July 10, 2013 | Permalink
  10. Naomi
    Member

    Hi David,

    It sounds like there's a misunderstanding here on how PCI-compliance works -- it governs wherever the credit card data is handled, not where form fields reside because form fields are meaningless until a user inputs some data :-) So I think the original poster is trying to say that if the fields are "posted" to his server or hit his server in any way, then the SSL certificate is not enough to satisfy PCI-compliance.

    And that's the issue he's having with Authorize.net -- the credit card information is posted to the website server where the form is being submitted, which means the website owner has to go through the PCI-compliance setup.

    With Stripe, the credit card information never hits the server where the form is being submitted as it is posted directly to Stripe's Level 1 PCI-compliant servers. This allows you to take credit cards directly on your site, without the time and expense of having to setup PCI-compliance yourself.

    Posted 11 years ago on Wednesday July 10, 2013 | Permalink

This topic has been resolved and has been closed to new replies.