I'm setting up a payment gateway on our site that we can post information to via php (so all information is hidden from prying eyes) which will post to authorize.net, post back to our gateway and post back to our current page. The purpose for this is to give us a streamlined method of processing payments and easier debugging.
I have an auth key that is required to be posted to our gateway for the transaction to be processed. Is it worth it for me to secure a list of approved URLs to accept posts from, or is that too easily manipulated?
Do you have any other ideas on what I should focus on in regards to securing my gateway?
update
This gateway has a login/key pair used for authorize.net that it submits to. I have a 64 digit md5 encoded key that I use for domain.com to communicate with gateway.domain.com which happens of course over SSL. I'm inquiring as to whether that key is enough. Given, anyone with that key could run a transaction, but why would they... it would only be giving us money.