[ic] authnet security risk?

Paul Jordan interchange-users@icdevgroup.org
Sat Feb 22 14:12:00 2003


Hi guys

I signed up for Authnet about a year ago. Can someone who had authnet please
confirm this:

"
A year ago Authoriznet had TWO passwords, 1 for the merchant to log into
Authnet and 1 for "password required mode" to send orders AUTHNET_SECRET.
"

Recently, they did away with a few of their connection methods, ADC Direct,
which is what I usedm is now AIM. AIM requires "password required mode". Now
it seems that Authorizenet only has ONE password, which is used for logging
into the merchant site and sending orders (AUTHNET_SECRET).

Does this seem like an unnecessary risk to anyone? Autorizenet stores ALL
past customers credit cards numbers. If I have my AUTHNET_SECRET on my
server, would that be the same as keeping/storing all credit card numbers in
the plain?

I choose not to store credit card number in IC for security reasons. However
I am storing the keys to the castle in IC, so what is the difference?

I have contacted Autnet about this. They said they ALWAYS only had ONE
password, but I seem to remember there being two. Can someone confirm??

I am in the opinion my webserver should only have enough information to
"send/clear" an order, and not the information to log into my merchant
account and see/get everything, that could ruin a company (hold customer
numbers for ransom like CDuniverse and egghead).

TIA

Paul