disable certain POSTs?

[dadamssg87]

This may be a long shot but is there a way to configure your server to disable certain POSTs? I'm working with the Authorize.net SIM API which after a successful transaction you can get authorize.net to POST data to a particular web page. The POST sends back customer name, amount of transaction, date, billing information, shipping information, and it also post back the credit card like so "XXXXXXXX3043".

 

To limit my exposure to any kind of credit card information i'd rather just disable the $_POST['x_card_number'] that gets posted.

 

Is that possible?

[TeNDoLLA]

Yes it is possible. Modify the code that sends the POST variables to not send the not wanted POST variables.

[dadamssg87]

i can't modify authorize.net's code...

[TeNDoLLA]

Don't think it is possible to prevent it then from posting. I am not really familiar with that API, but maybe there is some settings you could define how it will respond ?

[Adam]

POST data is just sent as a simple sting to the web server. Plus you can't "conditionally deny a request" without the server having received it. What are you going to do with the last 4 digits though? It's sent that way purposefully to make it useless.

[dadamssg87]

Absolutely nothing. I only want to store Customer name, transaction ID, and the amount but since the POST has cardholder data, that requires my server and code to be PCI compliant...which is a headache.

[phpSensei]

Absolutely nothing. I only want to store Customer name, transaction ID, and the amount but since the POST has cardholder data, that requires my server and code to be PCI compliant...which is a headache.

 

Who else will be able to see POST['x_card_number']?

 

I dont see the security issue here.