tags:

views:

17

answers:

1
Q: 

Payment gateway URL subdomain

We're considering setting up a subdomain gateway.domain.com where that sub domain will process all of our payments to authorize.net from possibly multiple sections of our site, our internal and external systems alike. I know it would need SSL and I'm guessing I should accept $_POST from a restricted list of URLs and extreme data validation.

I'm wondering what your thoughts are on this. Are there any security risks that I'm not thinking of?

A: 

Putting it on a subdomain doesn't have any security issues associated with it in concept as where the payments are handled on your website really doesn't mean anything as far as payment processing goes. All the usual security issues still apply regardless of where you put it on your website.

There are also no real benefits to this either other than, perhaps, you only need to get an SSL certificate for that subdomain assuming you don't need it anywhere else on your website. But that's barely a benefit if one at all.

John Conde  2010-06-25 20:26:22
Authorize only accepts payments from a single domain or subdomain per account. So by processing them all through 1 subdomain we gain the ability to process credit cards on multiple subdomains accross our site via 1 authorize account instead of multiple.
Webnet  2010-06-25 20:57:23
Are you sure about that? I am a certified Authnet developer and have done dozens of integrations for them I don't know of that requirement existing. Can you provide me to a link where it states that?
John Conde  2010-06-28 13:16:11

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL