I believe there is a security exposure in the Web Payments SDK.
In Australia, merchants are permitted to add a credit/debit card surcharge to cover the costs of processing the payment. This surcharge may vary by card brand.
With the Web Payments SDK widget, we can get the card brand from the tokenize result. However, the only way for the server to determine the card brand is by passing the value as a parameter along with the card token. At the server end, there’s no way to validate that the card brand received is the correct value for the card token.
In other words, a malicious user could alter the card brand that is posted to the server, thus obtaining a lower or zero surcharge, and there’s no way for the server to prevent this from happening.
2 posts - 2 participants