From 030e99a9b819b4ae7334b2e4a1b0466157cc2c64 Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Fri, 22 May 2026 23:52:18 +0530
Subject: [PATCH 1/9] ssl verification added for apple pay

---
 validateApplePayMerchant.php | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/validateApplePayMerchant.php b/validateApplePayMerchant.php
index d8c71bb..e6cf126 100644
--- a/validateApplePayMerchant.php
+++ b/validateApplePayMerchant.php
@@ -23,11 +23,9 @@
         curl_setopt($ch, CURLOPT_POSTFIELDS, $validationPayload);
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 300);
-	// The following two curl SSL options are set to "false" for ease of development/debug purposes only.
-	// Any code used in production should either remove these lines or set them to the appropriate
-	// values to properly use secure connections for PCI-DSS compliance.
-        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);	//for production, set value to true or 1
-        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);	//for production, set value to 2
+	// SSL certificate verification enabled for secure connections and PCI-DSS compliance
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);	//verify SSL certificate
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);	//verify certificate matches hostname
 	curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
 	curl_setopt($ch, CURLOPT_SSLCERT, './certs/apple-pay-test-cert.pem');
         curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $pemPwd);

From edab2beafe0f6c428f93c6166df9bce9d07f1eec Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Sat, 23 May 2026 01:05:12 +0530
Subject: [PATCH 2/9] ssl verification fixes for application

---
 createTransactionWithProfile.php | 9 ++++-----
 getHostedPaymentForm.php         | 9 ++++-----
 getProfiles.php                  | 9 ++++-----
 getToken.php                     | 9 ++++-----
 transactionCaller.php            | 9 ++++-----
 5 files changed, 20 insertions(+), 25 deletions(-)

diff --git a/createTransactionWithProfile.php b/createTransactionWithProfile.php
index b05511d..e36f41a 100644
--- a/createTransactionWithProfile.php
+++ b/createTransactionWithProfile.php
@@ -43,11 +43,10 @@
         curl_setopt($ch, CURLOPT_POSTFIELDS, $transRequestXml->asXML());
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 300);
-	// The following two curl SSL options are set to "false" for ease of development/debug purposes only.
-	// Any code used in production should either remove these lines or set them to the appropriate
-	// values to properly use secure connections for PCI-DSS compliance.
-        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);	//for production, set value to true or 1
-        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);	//for production, set value to 2
+	// SSL certificate verification enabled for secure connections and PCI-DSS compliance
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);	//verify SSL certificate
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);	//verify certificate matches hostname
+	curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);	//enforce TLS 1.2 minimum
         curl_setopt($ch, CURLOPT_DNS_USE_GLOBAL_CACHE, false );
         $content = curl_exec($ch);
         if (FALSE === $content)
diff --git a/getHostedPaymentForm.php b/getHostedPaymentForm.php
index f40cd7c..de43daa 100644
--- a/getHostedPaymentForm.php
+++ b/getHostedPaymentForm.php
@@ -79,11 +79,10 @@
     curl_setopt($ch, CURLOPT_POSTFIELDS, $xml->asXML());
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 300);
-    // The following two curl SSL options are set to "false" for ease of development/debug purposes only.
-    // Any code used in production should either remove these lines or set them to the appropriate
-    // values to properly use secure connections for PCI-DSS compliance.
-    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    //for production, set value to true or 1
-    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    //for production, set value to 2
+    // SSL certificate verification enabled for secure connections and PCI-DSS compliance
+    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);    //verify SSL certificate
+    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);    //verify certificate matches hostname
+    curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);    //enforce TLS 1.2 minimum
     curl_setopt($ch, CURLOPT_DNS_USE_GLOBAL_CACHE, false);
     //curl_setopt($ch, CURLOPT_PROXY, 'userproxy.visa.com:80');
     $content = curl_exec($ch);
diff --git a/getProfiles.php b/getProfiles.php
index f461f2c..6406804 100755
--- a/getProfiles.php
+++ b/getProfiles.php
@@ -20,11 +20,10 @@
         curl_setopt($ch, CURLOPT_POSTFIELDS, $xml->asXML());
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 300);
-	// The following two curl SSL options are set to "false" for ease of development/debug purposes only.
-	// Any code used in production should either remove these lines or set them to the appropriate
-	// values to properly use secure connections for PCI-DSS compliance.
-        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);	//for production, set value to true or 1
-        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);	//for production, set value to 2
+	// SSL certificate verification enabled for secure connections and PCI-DSS compliance
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);	//verify SSL certificate
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);	//verify certificate matches hostname
+	curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);	//enforce TLS 1.2 minimum
         curl_setopt($ch, CURLOPT_DNS_USE_GLOBAL_CACHE, false );
         $content = curl_exec($ch);
         $profileResponse = new SimpleXMLElement($content);
diff --git a/getToken.php b/getToken.php
index 2684874..a3e2546 100755
--- a/getToken.php
+++ b/getToken.php
@@ -50,11 +50,10 @@
     curl_setopt($ch, CURLOPT_POSTFIELDS, $xml->asXML());
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 300);
-    // The following two curl SSL options are set to "false" for ease of development/debug purposes only.
-    // Any code used in production should either remove these lines or set them to the appropriate
-    // values to properly use secure connections for PCI-DSS compliance.
-    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    //for production, set value to true or 1
-    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    //for production, set value to 2
+    // SSL certificate verification enabled for secure connections and PCI-DSS compliance
+    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);    //verify SSL certificate
+    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);    //verify certificate matches hostname
+    curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);    //enforce TLS 1.2 minimum
     curl_setopt($ch, CURLOPT_DNS_USE_GLOBAL_CACHE, false);
     $content = curl_exec($ch);
     $response = new SimpleXMLElement($content);
diff --git a/transactionCaller.php b/transactionCaller.php
index e4938a1..de4ee77 100644
--- a/transactionCaller.php
+++ b/transactionCaller.php
@@ -55,11 +55,10 @@
         curl_setopt($ch, CURLOPT_POSTFIELDS, $transRequestXml->asXML());
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 300);
-	// The following two curl SSL options are set to "false" for ease of development/debug purposes only.
-	// Any code used in production should either remove these lines or set them to the appropriate
-	// values to properly use secure connections for PCI-DSS compliance.
-        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);	//for production, set value to true or 1
-        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);	//for production, set value to 2
+	// SSL certificate verification enabled for secure connections and PCI-DSS compliance
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);	//verify SSL certificate
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);	//verify certificate matches hostname
+	curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);	//enforce TLS 1.2 minimum
         curl_setopt($ch, CURLOPT_DNS_USE_GLOBAL_CACHE, false );
         $content = curl_exec($ch);
         if (FALSE === $content)

From 28d106e7a2aa6026a8d51fcef7eecfd634ea6bc0 Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Sat, 23 May 2026 01:47:17 +0530
Subject: [PATCH 3/9] session authentication fixes

---
 index.php |  8 ++++++++
 login.php | 27 +++++++++++++++++++++------
 2 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/index.php b/index.php
index c961c0e..f6e0868 100755
--- a/index.php
+++ b/index.php
@@ -1,5 +1,13 @@
 <?php
 	session_start();
+	
+	// Security: Verify user is authenticated via server-side session
+	if(!isset($_SESSION['authenticated_cpid'])){
+		// No valid session - redirect to login
+		header('Location: login.php');
+		exit;
+	}
+	
 	include 'getToken.php';
 	include 'generateCardinalJWT.php';
 	if ($response->messages->resultCode != "Ok") {
diff --git a/login.php b/login.php
index 3d137da..8802405 100644
--- a/login.php
+++ b/login.php
@@ -1,20 +1,35 @@
 <?php
     session_start();
     $newURL="index.php";
+    
+    // Handle form submission
 	if(isset($_POST['submit'])) 
 	{
+		$customerId = $_POST['form-username'];
+		
+		// Store authenticated customer ID in server-side session
+		$_SESSION['authenticated_cpid'] = $customerId;
+
 		if(isset($_POST['cookieCheck'])){
-			setcookie("cpid",$_POST['form-username'], time() + (86400*7), "/");
-			header('Location: '.$newURL);
+			setcookie("cpid", $customerId, time() + (86400*7), "/");
 		}
 		else{
-			setcookie("temp_cpid",$_POST['form-username'], 0, "/");
-			header('Location: '.$newURL);
+			setcookie("temp_cpid", $customerId, 0, "/");
 		}
+		
+		header('Location: '.$newURL);
+		exit;
 	}
 
-	if(isset($_COOKIE['cpid'])){
+	// Check if user is authenticated via server-side session
+	if(isset($_SESSION['authenticated_cpid'])){
 		header('Location: '.$newURL);
+		exit;
+	}
+	
+	if(isset($_COOKIE['cpid']) && !isset($_SESSION['authenticated_cpid'])){
+		setcookie("cpid", "", time() - 3600, "/");
+		setcookie("temp_cpid", "", time() - 3600, "/");
 	}
 ?>
 <!DOCTYPE html>
@@ -78,4 +93,4 @@
 
     </body>
 
-</html>
\ No newline at end of file
+</html>

From 8b52cd31808f42ce3ba603c4dd97390ff5c2ae21 Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Sat, 23 May 2026 17:45:33 +0530
Subject: [PATCH 4/9] addition of authentication and csrf

---
 chargeProfile.js                 | 117 ++++++++++++++++---------------
 createTransactionWithProfile.php |  28 ++++++++
 index.php                        |   6 ++
 3 files changed, 93 insertions(+), 58 deletions(-)

diff --git a/chargeProfile.js b/chargeProfile.js
index cee3665..da1b875 100644
--- a/chargeProfile.js
+++ b/chargeProfile.js
@@ -1,17 +1,19 @@
-function showResult(msg)
-{
-	try{
-		responseObj=JSON.parse(msg);
-		if(responseObj.transactionResponse.responseCode=='1'){
-			message="Transaction Successful!<br>Transaction ID: "+responseObj.transactionResponse.transId;
-		}
-		else{
-			message="Transaction Unsuccessful.";//+responseObj.messages.message[0].text;
-			if(responseObj.transactionResponse.errors!=null)//to do: take care of errors[1] array being parsed into single object
-			{
-				message+=responseObj.transactionResponse.errors.error.errorText;
-			}
-			/*else if(responseObj.transactionResponse.errors[0]!=null)
+function showResult(msg) {
+  try {
+    responseObj = JSON.parse(msg);
+    if (responseObj.transactionResponse.responseCode == "1") {
+      message =
+        "Transaction Successful!<br>Transaction ID: " +
+        responseObj.transactionResponse.transId;
+    } else {
+      message = "Transaction Unsuccessful."; //+responseObj.messages.message[0].text;
+      if (
+        responseObj.transactionResponse.errors != null
+      ) //to do: take care of errors[1] array being parsed into single object
+      {
+        message += responseObj.transactionResponse.errors.error.errorText;
+      }
+      /*else if(responseObj.transactionResponse.errors[0]!=null)
 			{
 				for(i=0;i<responseObj.transactionResponse.errors.length;i++)
 				{
@@ -19,51 +21,50 @@ function showResult(msg)
 					message+=responseObj.transactionResponse.errors[i].error.errorText;
 				}
 			}*/
-			if(responseObj.transactionResponse.transId!=null)
-			{
-				message+="<br>";
-				message+=("Transaction ID: "+responseObj.transactionResponse.transId)
-			}
-		}
-	}
-	catch(error){
-		console.log("Couldn't parse result string");
-		message="Error.";
-	}
-	
-	//alert(message);
-	
-	$('#acceptJSReceiptHeader').html("<h4 class='modal-title'>ACCEPT.JS EXAMPLE</h4>");
-	$('#acceptJSReceiptBody').html(message);
-	//jQuery.noConflict();
-	$('#acceptJSReceiptModal').modal('show');
-}
+      if (responseObj.transactionResponse.transId != null) {
+        message += "<br>";
+        message += "Transaction ID: " + responseObj.transactionResponse.transId;
+      }
+    }
+  } catch (error) {
+    console.log("Couldn't parse result string");
+    message = "Error.";
+  }
 
-function createProfileTransaction() {
-	
-	$.ajax({
-		
-		url: "createTransactionWithProfile.php",
-		// These profiles IDs would NOT BE HARDCODED of course but rather taken from the logged in user
-		data: {amount: Math.floor((Math.random() * 100) + 1), customerProfileId: "1808251712", paymentProfileId: "1803116214"},
-		method: 'POST',
-		timeout: 5000
-		
-	}).done(function(data){
-		
-		console.log('Success');
-		
-	}).fail(function(){
-		
-		console.log('Error');
-		
-	}).always(function(textStatus){
-		
-		console.log(textStatus);
-		showResult(textStatus);
-		
-	})
-	
+  //alert(message);
+
+  $("#acceptJSReceiptHeader").html(
+    "<h4 class='modal-title'>ACCEPT.JS EXAMPLE</h4>",
+  );
+  $("#acceptJSReceiptBody").html(message);
+  //jQuery.noConflict();
+  $("#acceptJSReceiptModal").modal("show");
 }
 
+function createProfileTransaction() {
+  // Security: Get CSRF token from hidden input
+  var csrfToken = $("#csrfToken").val();
 
+  $.ajax({
+    url: "createTransactionWithProfile.php",
+    // These profiles IDs would NOT BE HARDCODED of course but rather taken from the logged in user
+    data: {
+      amount: Math.floor(Math.random() * 100 + 1),
+      customerProfileId: "1808251712",
+      paymentProfileId: "1803116214",
+      csrf_token: csrfToken, // Security: Include CSRF token
+    },
+    method: "POST",
+    timeout: 5000,
+  })
+    .done(function (data) {
+      console.log("Success");
+    })
+    .fail(function () {
+      console.log("Error");
+    })
+    .always(function (textStatus) {
+      console.log(textStatus);
+      showResult(textStatus);
+    });
+}
diff --git a/createTransactionWithProfile.php b/createTransactionWithProfile.php
index e36f41a..bf5ddfe 100644
--- a/createTransactionWithProfile.php
+++ b/createTransactionWithProfile.php
@@ -1,4 +1,32 @@
 <?php
+session_start();
+
+// Security: Verify user is authenticated via server-side session
+if(!isset($_SESSION['authenticated_cpid'])){
+    http_response_code(401);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Unauthorized', 'message' => 'Authentication required']);
+    exit;
+}
+
+// Security: Validate that authenticated user owns the profile
+$authenticatedCustomerId = $_SESSION['authenticated_cpid'];
+$requestedCustomerId = $_POST['customerProfileId'];
+
+if($authenticatedCustomerId !== $requestedCustomerId){
+    http_response_code(403);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Forbidden', 'message' => 'You do not have permission to use this profile']);
+    exit;
+}
+
+// Security: Validate CSRF token
+if(!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']){
+    http_response_code(403);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Forbidden', 'message' => 'Invalid CSRF token']);
+    exit;
+}
 
 $transRequestXmlStr=<<<XML
 <?xml version="1.0" encoding="UTF-8"?>
diff --git a/index.php b/index.php
index f6e0868..1b29d26 100755
--- a/index.php
+++ b/index.php
@@ -8,6 +8,11 @@
 		exit;
 	}
 	
+	// Security: Generate CSRF token for form submissions
+	if(!isset($_SESSION['csrf_token'])){
+		$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+	}
+	
 	include 'getToken.php';
 	include 'generateCardinalJWT.php';
 	if ($response->messages->resultCode != "Ok") {
@@ -414,6 +419,7 @@ function onVisaCheckoutReady() {
 <body style=" background: url('scripts/background.png'); padding-top: 50px;">
 	
 	<input type='hidden' id='cardinalRequestJwt' value='<?php echo $cardinalRequestJwt; ?>'>
+	<input type='hidden' id='csrfToken' value='<?php echo $_SESSION['csrf_token']; ?>'>
 	
 	<div class="container-fluid" style="width: 100%; margin: 0; padding:0">
 		

From 89f201637493fda2bf1369f3af30ba7fcf6550b7 Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Sat, 23 May 2026 17:52:29 +0530
Subject: [PATCH 5/9] addition of authentication and csrf for payments

---
 acceptJSCaller.js          | 192 +++++++++++-----------
 applePayCaller.js          | 258 +++++++++++++++---------------
 payerAuthCaller.js         | 319 ++++++++++++++++++++-----------------
 transactionCaller.php      |  26 +++
 visaCheckoutTransaction.js | 121 +++++++-------
 5 files changed, 492 insertions(+), 424 deletions(-)

diff --git a/acceptJSCaller.js b/acceptJSCaller.js
index 22febb0..cc5eb90 100644
--- a/acceptJSCaller.js
+++ b/acceptJSCaller.js
@@ -1,18 +1,20 @@
 // The result of the transaction processing will be returned from the processing script as a JSON object. Parse the object to determine success or failure, and alert the user.
-function messageFunc(msg)
-{
-	try{
-		responseObj=JSON.parse(msg);
-		if(responseObj.transactionResponse.responseCode=='1'){
-			message="Transaction Successful!<br>Transaction ID: "+responseObj.transactionResponse.transId;
-		}
-		else{
-			message="Transaction Unsuccessful.";//+responseObj.messages.message[0].text;
-			if(responseObj.transactionResponse.errors!=null)//to do: take care of errors[1] array being parsed into single object
-			{
-				message+=responseObj.transactionResponse.errors.error.errorText;
-			}
-			/*else if(responseObj.transactionResponse.errors[0]!=null)
+function messageFunc(msg) {
+  try {
+    responseObj = JSON.parse(msg);
+    if (responseObj.transactionResponse.responseCode == "1") {
+      message =
+        "Transaction Successful!<br>Transaction ID: " +
+        responseObj.transactionResponse.transId;
+    } else {
+      message = "Transaction Unsuccessful."; //+responseObj.messages.message[0].text;
+      if (
+        responseObj.transactionResponse.errors != null
+      ) //to do: take care of errors[1] array being parsed into single object
+      {
+        message += responseObj.transactionResponse.errors.error.errorText;
+      }
+      /*else if(responseObj.transactionResponse.errors[0]!=null)
 			{
 				for(i=0;i<responseObj.transactionResponse.errors.length;i++)
 				{
@@ -20,95 +22,99 @@ function messageFunc(msg)
 					message+=responseObj.transactionResponse.errors[i].error.errorText;
 				}
 			}*/
-			if(responseObj.transactionResponse.transId!=null)
-			{
-				message+="<br>";
-				message+=("Transaction ID: "+responseObj.transactionResponse.transId)
-			}
-		}
-	}
-	catch(error){
-		console.log("Couldn't parse result string");
-		message="Error.";
-	}
-	
-	//alert(message);
-	
-	$('#acceptJSReceiptBody').html(message);
-	//jQuery.noConflict();
-	$('#acceptJSPayModal').modal('hide');
-	$('#acceptJSReceiptModal').modal('show');
+      if (responseObj.transactionResponse.transId != null) {
+        message += "<br>";
+        message += "Transaction ID: " + responseObj.transactionResponse.transId;
+      }
+    }
+  } catch (error) {
+    console.log("Couldn't parse result string");
+    message = "Error.";
+  }
+
+  //alert(message);
+
+  $("#acceptJSReceiptBody").html(message);
+  //jQuery.noConflict();
+  $("#acceptJSPayModal").modal("hide");
+  $("#acceptJSReceiptModal").modal("show");
 }
 
 // Do an AJAX call to submit the transaction data and the payment none to a separate PHP page to do the actual transaction processing.
 function createTransact(dataObj) {
-	
-	// Set Amount for demo purposes if not set by callers form
-	myAmt = document.getElementById('amount').value;
-	if(!myAmt)
-	{
-		myAmt = Math.floor((Math.random() * 100) + 1);
-	}
-	console.log('Amount = '+myAmt);
-	
-	$.ajax({
-		
-		url: "transactionCaller.php",
-		data: {amount: myAmt, dataDesc: dataObj.dataDescriptor, dataValue: dataObj.dataValue},
-		method: 'POST',
-		timeout: 5000
-		
-	}).done(function(data){
-		
-		console.log('Success');
-		
-	}).fail(function(){
-		
-		console.log('Error');
-		
-	}).always(function(textStatus){
-		
-		console.log(textStatus);
-		messageFunc(textStatus);
-		
-	})
-	
+  // Set Amount for demo purposes if not set by callers form
+  myAmt = document.getElementById("amount").value;
+  if (!myAmt) {
+    myAmt = Math.floor(Math.random() * 100 + 1);
+  }
+  console.log("Amount = " + myAmt);
+
+  // Security: Get CSRF token from hidden input
+  var csrfToken = $("#csrfToken").val();
+
+  $.ajax({
+    url: "transactionCaller.php",
+    data: {
+      amount: myAmt,
+      dataDesc: dataObj.dataDescriptor,
+      dataValue: dataObj.dataValue,
+      csrf_token: csrfToken, // Security: Include CSRF token
+    },
+    method: "POST",
+    timeout: 5000,
+  })
+    .done(function (data) {
+      console.log("Success");
+    })
+    .fail(function () {
+      console.log("Error");
+    })
+    .always(function (textStatus) {
+      console.log(textStatus);
+      messageFunc(textStatus);
+    });
 }
 
 // Process the response from Authorize.Net to retrieve the two elements of the payment nonce.
 // If the data looks correct, record the OpaqueData to the console and call the transaction processing function.
-function  responseHandler(response) {
-	if (response.messages.resultCode === 'Error') {
-		for (var i = 0; i < response.messages.message.length; i++) {
-			console.log(response.messages.message[i].code + ':' + response.messages.message[i].text);
-		}
-		alert("acceptJS library error!")
-	} else {
-		console.log(response.opaqueData.dataDescriptor);
-		console.log(response.opaqueData.dataValue);
-		createTransact(response.opaqueData);
-	}
+function responseHandler(response) {
+  if (response.messages.resultCode === "Error") {
+    for (var i = 0; i < response.messages.message.length; i++) {
+      console.log(
+        response.messages.message[i].code +
+          ":" +
+          response.messages.message[i].text,
+      );
+    }
+    alert("acceptJS library error!");
+  } else {
+    console.log(response.opaqueData.dataDescriptor);
+    console.log(response.opaqueData.dataValue);
+    createTransact(response.opaqueData);
+  }
 }
 
-function acceptJSCaller()
-{
-	var  secureData  =  {}  ,  authData  =  {}  ,  cardData  =  {};
-	
-	// Extract the card number and expiration date.
-	cardData.cardNumber  =  document.getElementById('creditCardNumber').value;
-	cardData.cardCode = document.getElementById('cvv').value;
-	cardData.month  =  document.getElementById('expiryDateMM').value;
-	cardData.year  =  document.getElementById('expiryDateYY').value;
-	secureData.cardData  =  cardData;
+function acceptJSCaller() {
+  var secureData = {},
+    authData = {},
+    cardData = {};
+
+  // Extract the card number and expiration date.
+  cardData.cardNumber = document.getElementById("creditCardNumber").value;
+  cardData.cardCode = document.getElementById("cvv").value;
+  cardData.month = document.getElementById("expiryDateMM").value;
+  cardData.year = document.getElementById("expiryDateYY").value;
+  secureData.cardData = cardData;
+
+  // The Authorize.Net Client Key is used in place of the traditional Transaction Key. The Transaction Key
+  // is a shared secret and must never be exposed. The Client Key is a public key suitable for use where
+  // someone outside the merchant might see it.
 
-	// The Authorize.Net Client Key is used in place of the traditional Transaction Key. The Transaction Key
-	// is a shared secret and must never be exposed. The Client Key is a public key suitable for use where
-	// someone outside the merchant might see it.
+  authData.clientKey =
+    "6jZy4G5vmCEat9G3xjtNguj7DLw5NhgS4PBr4KNp7tV2tXa34E3BkdG33dcX4S84";
+  authData.apiLoginID = "3e3b5H4YLP";
+  secureData.authData = authData;
 
-	authData.clientKey  =  '6jZy4G5vmCEat9G3xjtNguj7DLw5NhgS4PBr4KNp7tV2tXa34E3BkdG33dcX4S84';
-	authData.apiLoginID  =  '3e3b5H4YLP';
-	secureData.authData  =  authData;
-	
-    // Pass the card number and expiration date to Accept.js for submission to Authorize.Net.
-	Accept.dispatchData(secureData, 'responseHandler');
+  // Pass the card number and expiration date to Accept.js for submission to Authorize.Net.
+  Accept.dispatchData(secureData, "responseHandler");
 }
diff --git a/applePayCaller.js b/applePayCaller.js
index b75d8ea..300e864 100644
--- a/applePayCaller.js
+++ b/applePayCaller.js
@@ -1,138 +1,138 @@
 if (window.ApplePaySession) {
-   var merchantIdentifier = 'ApplePayDemoTestDev15';
-   var promise = ApplePaySession.canMakePaymentsWithActiveCard(merchantIdentifier);
-   promise.then( function (canMakePayments) {
-      if (canMakePayments){
-      	console.log("Apple Pay Payment Available");
-      	$("#applePayButton").prop('disabled', false);
-      }else{
-      	console.log("Apple Pay is available but not activated yet");
-      }
-	}); 
-}
-else{
-	console.log("Apple Pay not available in this browser");
+  var merchantIdentifier = "ApplePayDemoTestDev15";
+  var promise =
+    ApplePaySession.canMakePaymentsWithActiveCard(merchantIdentifier);
+  promise.then(function (canMakePayments) {
+    if (canMakePayments) {
+      console.log("Apple Pay Payment Available");
+      $("#applePayButton").prop("disabled", false);
+    } else {
+      console.log("Apple Pay is available but not activated yet");
+    }
+  });
+} else {
+  console.log("Apple Pay not available in this browser");
 }
 
 function createTransaction(dataObj) {
-	
-	console.log('starting createTransaction');
-	console.log(dataObj);
-	
-	let objJsonStr = JSON.stringify(dataObj);
-	console.log(objJsonStr);
-        let objJsonB64 = window.btoa(objJsonStr);
-	console.log(objJsonB64);
-	
-	$.ajax({
-		
-		url: "transactionCaller.php",
-		data: {amount: '15.00', dataDesc: 'COMMON.APPLE.INAPP.PAYMENT', dataValue: objJsonB64},
-		method: 'POST',
-		timeout: 5000
-		
-	}).done(function(data){
-		console.log(data);
-		console.log('Success');
-		
-	}).fail(function(){
-		
-		console.log('Error');
-	})
-	
-	return true;
-}
+  console.log("starting createTransaction");
+  console.log(dataObj);
 
-function applePayButtonClicked(){
-
-	console.log('Apple Pay Initiated');
-
-	var request = {
-	  countryCode: 'US',
-	  currencyCode: 'USD',
-	  supportedNetworks: ['visa', 'masterCard', 'amex', 'discover'],
-	  merchantCapabilities: ['supports3DS','supportsCredit', 'supportsDebit'], // Make sure NOT to include supportsEMV here
-	  total: { label: 'Test Spices', amount: '15.00' },
-	}
-	
-	var session = new ApplePaySession(1, request);
-
-	// Merchant Validation
-	session.onvalidatemerchant = function (event) {
-		console.log(event);
-		var promise = performValidation(event.validationURL);
-		promise.then(function (merchantSession) {
-			session.completeMerchantValidation(merchantSession);
-		}); 
-	}
-
-	function performValidation(valURL) {
-		return new Promise(function(resolve, reject) {
-			var xhr = new XMLHttpRequest();
-			xhr.onload = function() {
-				console.log(this.responseText);
-				var data = JSON.parse(this.responseText);
-				console.log(data);
-				resolve(data);
-			};
-			xhr.onerror = reject;
-			xhr.open('POST', 'validateApplePayMerchant.php', true);
-			xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
-			xhr.send('validationUrl='+valURL);
-		});
-	}
-
-	session.onpaymentmethodselected = function(event) {
-		console.log('starting onpaymentmethodselected');
-		console.log(event);
-		var newTotal = { type: 'final', label: 'Test Spices', amount: '15.00' };
-		var newLineItems =[{type: 'final',label: 'Spice #202', amount: '15.00' }]
-		session.completePaymentMethodSelection( newTotal, newLineItems);
-	}
-
-	session.onpaymentauthorized = function (event) {
-		console.log('starting session.onpaymentauthorized');
-		console.log(event);
-		var promise = sendPaymentToken(event.payment.token);
-		promise.then(function (success) {	
-			var status;
-			if (success){
-				status = ApplePaySession.STATUS_SUCCESS;
-				console.log('Apple Pay Payment SUCCESS ');
-			} else {
-				status = ApplePaySession.STATUS_FAILURE;
-			}		
-			console.log( "result of sendPaymentToken() function =  " + success );
-			session.completePayment(status);
-		});
-	}
-
-	function sendPaymentToken(paymentToken) {
-		return new Promise(function(resolve, reject) {
-			console.log('starting function sendPaymentToken()');
-			console.log(paymentToken);
-			
-			/* Send Payment token to Payment Gateway, here its defaulting to True just to mock that part */
-			
-			returnFromGateway = createTransaction(paymentToken.paymentData);	
-			console.log(returnFromGateway);
-			console.log("defaulting to successful payment by the Token");
-
-			if ( returnFromGateway == true )
-				resolve(true);
-			else
-				reject;
-		});
-	}
-
-	
-	session.oncancel = function(event) {
-		console.log('starting session.cancel');
-		console.log(event);
-	}
-	
-	session.begin();
+  let objJsonStr = JSON.stringify(dataObj);
+  console.log(objJsonStr);
+  let objJsonB64 = window.btoa(objJsonStr);
+  console.log(objJsonB64);
 
+  // Security: Get CSRF token from hidden input
+  var csrfToken = $("#csrfToken").val();
 
+  $.ajax({
+    url: "transactionCaller.php",
+    data: {
+      amount: "15.00",
+      dataDesc: "COMMON.APPLE.INAPP.PAYMENT",
+      dataValue: objJsonB64,
+      csrf_token: csrfToken, // Security: Include CSRF token
+    },
+    method: "POST",
+    timeout: 5000,
+  })
+    .done(function (data) {
+      console.log(data);
+      console.log("Success");
+    })
+    .fail(function () {
+      console.log("Error");
+    });
+
+  return true;
 }
 
+function applePayButtonClicked() {
+  console.log("Apple Pay Initiated");
+
+  var request = {
+    countryCode: "US",
+    currencyCode: "USD",
+    supportedNetworks: ["visa", "masterCard", "amex", "discover"],
+    merchantCapabilities: ["supports3DS", "supportsCredit", "supportsDebit"], // Make sure NOT to include supportsEMV here
+    total: { label: "Test Spices", amount: "15.00" },
+  };
+
+  var session = new ApplePaySession(1, request);
+
+  // Merchant Validation
+  session.onvalidatemerchant = function (event) {
+    console.log(event);
+    var promise = performValidation(event.validationURL);
+    promise.then(function (merchantSession) {
+      session.completeMerchantValidation(merchantSession);
+    });
+  };
+
+  function performValidation(valURL) {
+    return new Promise(function (resolve, reject) {
+      var xhr = new XMLHttpRequest();
+      xhr.onload = function () {
+        console.log(this.responseText);
+        var data = JSON.parse(this.responseText);
+        console.log(data);
+        resolve(data);
+      };
+      xhr.onerror = reject;
+      xhr.open("POST", "validateApplePayMerchant.php", true);
+      xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+      xhr.send("validationUrl=" + valURL);
+    });
+  }
+
+  session.onpaymentmethodselected = function (event) {
+    console.log("starting onpaymentmethodselected");
+    console.log(event);
+    var newTotal = { type: "final", label: "Test Spices", amount: "15.00" };
+    var newLineItems = [
+      { type: "final", label: "Spice #202", amount: "15.00" },
+    ];
+    session.completePaymentMethodSelection(newTotal, newLineItems);
+  };
+
+  session.onpaymentauthorized = function (event) {
+    console.log("starting session.onpaymentauthorized");
+    console.log(event);
+    var promise = sendPaymentToken(event.payment.token);
+    promise.then(function (success) {
+      var status;
+      if (success) {
+        status = ApplePaySession.STATUS_SUCCESS;
+        console.log("Apple Pay Payment SUCCESS ");
+      } else {
+        status = ApplePaySession.STATUS_FAILURE;
+      }
+      console.log("result of sendPaymentToken() function =  " + success);
+      session.completePayment(status);
+    });
+  };
+
+  function sendPaymentToken(paymentToken) {
+    return new Promise(function (resolve, reject) {
+      console.log("starting function sendPaymentToken()");
+      console.log(paymentToken);
+
+      /* Send Payment token to Payment Gateway, here its defaulting to True just to mock that part */
+
+      returnFromGateway = createTransaction(paymentToken.paymentData);
+      console.log(returnFromGateway);
+      console.log("defaulting to successful payment by the Token");
+
+      if (returnFromGateway == true) resolve(true);
+      else reject;
+    });
+  }
+
+  session.oncancel = function (event) {
+    console.log("starting session.cancel");
+    console.log(event);
+  };
+
+  session.begin();
+}
diff --git a/payerAuthCaller.js b/payerAuthCaller.js
index b6ee987..91d0e5e 100755
--- a/payerAuthCaller.js
+++ b/payerAuthCaller.js
@@ -1,238 +1,274 @@
 /**
  * HTML Id's for payerAuthCaller() to pick values off the HTML page to send on the CCA start request
- * 
+ *
  * NOTE: The index.html file contains duplicate ID's for the card fields. It looks like the acceptJSModal html was duplicated and the field ID's for the HTML were never update.
  * We may need to adjust the Ids of the HTML for this to work properly
  */
 var payerAuthHtmlIds = {
   card: {
-    number: 'creditCardNumberPA',
+    number: "creditCardNumberPA",
     expiration: {
-      year: 'expiryDateYYPA',
-      month: 'expiryDateMMPA'
-    }
+      year: "expiryDateYYPA",
+      month: "expiryDateMMPA",
+    },
   },
-  amount: 'amountPA',
-  submitButton: 'submitButton'
+  amount: "amountPA",
+  submitButton: "submitButton",
 };
 
 /**
  * Initalize Songbird.js
- * 
+ *
  * When the page loads we should setup Songbird to that by the time the user tries to click the submit button we're already setup
  */
 $(function () {
   try {
     // Make sure the Cardinal namespace is available before we set anything up
-    if ('Cardinal' in window) {
-
+    if ("Cardinal" in window) {
       // Documentation Step 2 - Optional configuration to enable logging to developer console
-      Cardinal.configure({ logging: { level: 'verbose' } });
+      Cardinal.configure({ logging: { level: "verbose" } });
 
       // Documentation Step 3 - Initalize Cardinal Cruise
-      Cardinal.setup('init', {
-        jwt: document.getElementById('cardinalRequestJwt').value
+      Cardinal.setup("init", {
+        jwt: document.getElementById("cardinalRequestJwt").value,
       });
 
       // Optional event to inform us that Songbird has initialzed properly
-      Cardinal.on('payments.setupComplete', function () {
-        console.log('Cardinal Cruise is ready to be used');
+      Cardinal.on("payments.setupComplete", function () {
+        console.log("Cardinal Cruise is ready to be used");
       });
 
       // Documentation Step 5
       // Required event that will trigger when any kind of result is reached. Songbird will always end the transaction by calling this method, regardless of the resulting state.
       // This includes failure to initialize
-      Cardinal.on('payments.validated', function (data, jwt) {
+      Cardinal.on("payments.validated", function (data, jwt) {
         try {
           // It is very important to make sure that the signature is verified with our ApiKey before accepting the results. Here we send the JWT to the back end to be verified via Ajax,
           // but in most flows a form would be posting to a new page to complete authorization.
           $.ajax({
-            method: 'post',
-            url: 'validateJwt.php',
-            data: { 'responseJwt': jwt },
-            dataType: 'json'
+            method: "post",
+            url: "validateJwt.php",
+            data: { responseJwt: jwt },
+            dataType: "json",
           })
             .done(function (responseData) {
-              if (responseData !== undefined && typeof responseData === 'object') {
-                if ('ActionCode' in responseData) {
+              if (
+                responseData !== undefined &&
+                typeof responseData === "object"
+              ) {
+                if ("ActionCode" in responseData) {
                   switch (responseData.ActionCode) {
                     case "SUCCESS":
                     case "NOACTION":
                       // Success indicates that we got back CCA values we can pass to the gateway
                       // No action indicates that everything worked, but there is no CCA values to worry about, so we can move on with the transaction
-                      console.warn('The transaction was completed with no errors', responseData.Payment.ExtendedData);
+                      console.warn(
+                        "The transaction was completed with no errors",
+                        responseData.Payment.ExtendedData,
+                      );
                       // CCA Succesful, now complete the transaction with Authorize.Net
                       acceptJSFromPACaller(responseData.Payment.ExtendedData);
                       break;
                     case "FAILURE":
                       // Failure indicates the authentication attempt failed
-                      console.warn('The authentication attempt failed', responseData.Payment);
+                      console.warn(
+                        "The authentication attempt failed",
+                        responseData.Payment,
+                      );
                       break;
 
                     case "ERROR":
                     default:
                       // Error indicates that a problem was encountered at some point in the transaction
-                      console.warn('An issue occurred with the transaction', responseData.Payment);
+                      console.warn(
+                        "An issue occurred with the transaction",
+                        responseData.Payment,
+                      );
                       break;
                   }
                 } else {
-                  console.error("Failure while attempting to verify JWT signature: ", responseData)
+                  console.error(
+                    "Failure while attempting to verify JWT signature: ",
+                    responseData,
+                  );
                 }
-
               } else {
-                console.error('Response data was incorrectly formatted: ', responseData);
+                console.error(
+                  "Response data was incorrectly formatted: ",
+                  responseData,
+                );
               }
-
             })
             .fail(function (xhr, ajaxError) {
-              console.log('Connection failure:', ajaxError)
+              console.log("Connection failure:", ajaxError);
             });
-
-
         } catch (validateError) {
-          console.error('Failed while processing validate', validateError);
+          console.error("Failed while processing validate", validateError);
         }
       });
-
     } else {
-      console.error('Cardinal namespace is not available. Please check the script Url.');
+      console.error(
+        "Cardinal namespace is not available. Please check the script Url.",
+      );
     }
-
   } catch (error) {
-    console.error('Cardinal Cruise failed during startup', error);
+    console.error("Cardinal Cruise failed during startup", error);
   }
 });
 
 /**
  * Handler to trigger CCA
- * 
+ *
  * Here we collect any data we need to complete the CCA request to Cardinal and start authentication. We should not call 'Cardinal.start' if we do not have
  * all the required fields
  */
 function payerAuthCaller() {
   try {
-    var cardNumber = document.getElementById(payerAuthHtmlIds.card.number).value,
-      cardExpMonth = document.getElementById(payerAuthHtmlIds.card.expiration.month).value,
-      cardExpYear = document.getElementById(payerAuthHtmlIds.card.expiration.year).value,
+    var cardNumber = document.getElementById(
+        payerAuthHtmlIds.card.number,
+      ).value,
+      cardExpMonth = document.getElementById(
+        payerAuthHtmlIds.card.expiration.month,
+      ).value,
+      cardExpYear = document.getElementById(
+        payerAuthHtmlIds.card.expiration.year,
+      ).value,
       orderObject;
 
     // Do whatever field validation we want to make sure the form is properly filled out before we run the CCA call
-    if (isCardFieldValid(cardNumber) && isCardFieldValid(cardExpMonth) && isCardFieldValid(cardExpYear)) {
+    if (
+      isCardFieldValid(cardNumber) &&
+      isCardFieldValid(cardExpMonth) &&
+      isCardFieldValid(cardExpYear)
+    ) {
       // Expiration fields in the Cardinal Cruise API are integers
-      if (typeof cardExpMonth === 'string') {
+      if (typeof cardExpMonth === "string") {
         cardExpMonth = parseInt(cardExpMonth, 10);
       }
-      if (typeof cardExpYear === 'string') {
+      if (typeof cardExpYear === "string") {
         // Cardinal Cruise is expecting a 2 digit Expiration Year, so if we have a 4 digit year, grab the last 2 digits
-        if(cardExpYear.length === 4){
-          cardExpYear = cardExpYear.substring(2,4);
+        if (cardExpYear.length === 4) {
+          cardExpYear = cardExpYear.substring(2, 4);
         }
-        cardExpYear = parseInt(cardExpYear, 10);        
+        cardExpYear = parseInt(cardExpYear, 10);
       }
 
       // Assemble the order object from the input fields on the page.
       orderObject = {
         OrderDetails: {
           Amount: document.getElementById(payerAuthHtmlIds.amount).value,
-          CurrencyCode: "840"
+          CurrencyCode: "840",
         },
         Consumer: {
           Account: {
             AccountNumber: cardNumber,
             ExpirationMonth: cardExpMonth,
-            ExpirationYear: cardExpYear
-          }
-        }
-      }
+            ExpirationYear: cardExpYear,
+          },
+        },
+      };
 
       // Documentation Step 4
       // Start the CCA transaction, passing the order data we collected on the page
-      Cardinal.start('cca', orderObject);
+      Cardinal.start("cca", orderObject);
     } else {
-      console.log('Card Number was not a valid number, skipping CC');
+      console.log("Card Number was not a valid number, skipping CC");
     }
   } catch (error) {
-    console.error('Error while trying to start CCA', error);
+    console.error("Error while trying to start CCA", error);
   }
 }
 
-
 /**
  * Accept.JS Caller
- * 
+ *
  * Here we pass the credit card fields off to Authorize.Net, using Accpet.js,
  * so they never hit our server
  */
-function acceptJSFromPACaller(paData)
-{
-	console.warn('Entered acceptJSCaller');
-                      
-	var  secureData  =  {}  ,  authData  =  {}  ,  cardData  =  {};
-	cardData.cardNumber  =  document.getElementById(payerAuthHtmlIds.card.number).value;
-	//cardData.month  =  document.getElementById(payerAuthHtmlIds.card.expiration.month).value;
-	cardData.month = '12';
-	cardData.year = '2021';
-	//cardData.year  =  document.getElementById(payerAuthHtmlIds.card.expiration.year).value;
-	secureData.cardData  =  cardData;
-	authData.clientKey  =  '5FcB6WrfHGS76gHW3v7btBCE3HuuBuke9Pj96Ztfn5R32G5ep42vne7MCWZtAucY';
-	authData.apiLoginID  =  '5KP3u95bQpv';
-	secureData.authData  =  authData;
+function acceptJSFromPACaller(paData) {
+  console.warn("Entered acceptJSCaller");
+
+  var secureData = {},
+    authData = {},
+    cardData = {};
+  cardData.cardNumber = document.getElementById(
+    payerAuthHtmlIds.card.number,
+  ).value;
+  //cardData.month  =  document.getElementById(payerAuthHtmlIds.card.expiration.month).value;
+  cardData.month = "12";
+  cardData.year = "2021";
+  //cardData.year  =  document.getElementById(payerAuthHtmlIds.card.expiration.year).value;
+  secureData.cardData = cardData;
+  authData.clientKey =
+    "5FcB6WrfHGS76gHW3v7btBCE3HuuBuke9Pj96Ztfn5R32G5ep42vne7MCWZtAucY";
+  authData.apiLoginID = "5KP3u95bQpv";
+  secureData.authData = authData;
 
-	Accept.dispatchData(secureData, responseHandler);
+  Accept.dispatchData(secureData, responseHandler);
 
-	function  responseHandler(response) {
-	if (response.messages.resultCode === 'Error') {
-		for (var i = 0; i < response.messages.message.length; i++) {
-			console.log(response.messages.message[i].code + ':' + response.messages.message[i].text);
-		}
-		alert("acceptJS library error!")
-		} else {
-			console.log(response.opaqueData.dataDescriptor);
-			console.log(response.opaqueData.dataValue);
-			create3DSTransaction(response.opaqueData);
-		}
-	}
+  function responseHandler(response) {
+    if (response.messages.resultCode === "Error") {
+      for (var i = 0; i < response.messages.message.length; i++) {
+        console.log(
+          response.messages.message[i].code +
+            ":" +
+            response.messages.message[i].text,
+        );
+      }
+      alert("acceptJS library error!");
+    } else {
+      console.log(response.opaqueData.dataDescriptor);
+      console.log(response.opaqueData.dataValue);
+      create3DSTransaction(response.opaqueData);
+    }
+  }
 
-    // Call our sample backend with the Cardinal 3D-Secure values PLUS the Authorize.Net payment nonce
-	function create3DSTransaction(dataObj) {
+  // Call our sample backend with the Cardinal 3D-Secure values PLUS the Authorize.Net payment nonce
+  function create3DSTransaction(dataObj) {
+    // Security: Get CSRF token from hidden input
+    var csrfToken = $("#csrfToken").val();
 
-		$.ajax({
-			
-			url: "transactionCaller.php",
-			data: {amount: document.getElementById(payerAuthHtmlIds.amount).value, dataDesc: dataObj.dataDescriptor, dataValue: dataObj.dataValue, paIndicator: paData.ECIFlag, paValue: paData.CAVV},
-			method: 'POST',
-			timeout: 5000
-			
-		}).done(function(data){
-			
-			console.log('Success');
-			
-		}).fail(function(){
-			
-			console.log('Error');
-			
-		}).always(function(textStatus){
-			
-			console.log(textStatus);
-			showReceipt(textStatus);
-			
-		})		
-	}
+    $.ajax({
+      url: "transactionCaller.php",
+      data: {
+        amount: document.getElementById(payerAuthHtmlIds.amount).value,
+        dataDesc: dataObj.dataDescriptor,
+        dataValue: dataObj.dataValue,
+        paIndicator: paData.ECIFlag,
+        paValue: paData.CAVV,
+        csrf_token: csrfToken, // Security: Include CSRF token
+      },
+      method: "POST",
+      timeout: 5000,
+    })
+      .done(function (data) {
+        console.log("Success");
+      })
+      .fail(function () {
+        console.log("Error");
+      })
+      .always(function (textStatus) {
+        console.log(textStatus);
+        showReceipt(textStatus);
+      });
+  }
 
-	function showReceipt(msg)
-	{
-		try{
-			responseObj=JSON.parse(msg);
-			if(responseObj.transactionResponse.responseCode=='1'){
-				message="Transaction Successful!<br>Transaction ID: "+responseObj.transactionResponse.transId;
-			}
-			else{
-				message="Transaction Unsuccessful.";//+responseObj.messages.message[0].text;
-				if(responseObj.transactionResponse.errors!=null)//to do: take care of errors[1] array being parsed into single object
-				{
-					message+=responseObj.transactionResponse.errors.error.errorText;
-				}
-				/*else if(responseObj.transactionResponse.errors[0]!=null)
+  function showReceipt(msg) {
+    try {
+      responseObj = JSON.parse(msg);
+      if (responseObj.transactionResponse.responseCode == "1") {
+        message =
+          "Transaction Successful!<br>Transaction ID: " +
+          responseObj.transactionResponse.transId;
+      } else {
+        message = "Transaction Unsuccessful."; //+responseObj.messages.message[0].text;
+        if (
+          responseObj.transactionResponse.errors != null
+        ) //to do: take care of errors[1] array being parsed into single object
+        {
+          message += responseObj.transactionResponse.errors.error.errorText;
+        }
+        /*else if(responseObj.transactionResponse.errors[0]!=null)
 				{
 					for(i=0;i<responseObj.transactionResponse.errors.length;i++)
 					{
@@ -240,29 +276,28 @@ function acceptJSFromPACaller(paData)
 						message+=responseObj.transactionResponse.errors[i].error.errorText;
 					}
 				}*/
-				if(responseObj.transactionResponse.transId!=null)
-				{
-					message+="<br>";
-					message+=("Transaction ID: "+responseObj.transactionResponse.transId)
-				}
-			}
-		}
-		catch(error){
-			console.log("Couldn't parse result string");
-			message="Error.";
-		}
-		
-		//alert(message);
-		
-		$('#payerAuthReceiptBody').html(message);
-		//jQuery.noConflict();
-		$('#payerAuthPayModal').modal('hide');
-		$('#payerAuthReceiptModal').modal('show');
-	}
+        if (responseObj.transactionResponse.transId != null) {
+          message += "<br>";
+          message +=
+            "Transaction ID: " + responseObj.transactionResponse.transId;
+        }
+      }
+    } catch (error) {
+      console.log("Couldn't parse result string");
+      message = "Error.";
+    }
+
+    //alert(message);
+
+    $("#payerAuthReceiptBody").html(message);
+    //jQuery.noConflict();
+    $("#payerAuthPayModal").modal("hide");
+    $("#payerAuthReceiptModal").modal("show");
+  }
 }
 
 /**
- * Simple helper for field verification before we start CCA. 
+ * Simple helper for field verification before we start CCA.
  * @param {string} fieldValue - The value to check for validity
  * @returns {boolean} is the field value valid to start CCA
  */
diff --git a/transactionCaller.php b/transactionCaller.php
index de4ee77..0e137cb 100644
--- a/transactionCaller.php
+++ b/transactionCaller.php
@@ -1,4 +1,30 @@
 <?php
+session_start();
+
+// Security: Verify user is authenticated via server-side session
+if(!isset($_SESSION['authenticated_cpid'])){
+    http_response_code(401);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Unauthorized', 'message' => 'Authentication required']);
+    exit;
+}
+
+// Security: Validate CSRF token
+if(!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']){
+    http_response_code(403);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Forbidden', 'message' => 'Invalid CSRF token']);
+    exit;
+}
+
+// Security: Validate amount is reasonable (prevent money laundering and abuse)
+$amount = floatval($_POST['amount']);
+if($amount <= 0 || $amount > 10000){
+    http_response_code(400);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Bad Request', 'message' => 'Invalid transaction amount. Amount must be between $0.01 and $10,000.00']);
+    exit;
+}
 
 $transRequestXmlStr=<<<XML
 <?xml version="1.0" encoding="UTF-8"?>
diff --git a/visaCheckoutTransaction.js b/visaCheckoutTransaction.js
index 6a7a1a5..1761af9 100644
--- a/visaCheckoutTransaction.js
+++ b/visaCheckoutTransaction.js
@@ -1,17 +1,19 @@
-function messageFunc(msg)
-{
-	try{
-		responseObj=JSON.parse(msg);
-		if(responseObj.transactionResponse.responseCode=='1'){
-			message="Transaction Successful!<br>Transaction ID: "+responseObj.transactionResponse.transId;
-		}
-		else{
-			message="Transaction Unsuccessful.";//+responseObj.messages.message[0].text;
-			if(responseObj.transactionResponse.errors!=null)//to do: take care of errors[1] array being parsed into single object
-			{
-				message+=responseObj.transactionResponse.errors.error.errorText;
-			}
-			/*else if(responseObj.transactionResponse.errors[0]!=null)
+function messageFunc(msg) {
+  try {
+    responseObj = JSON.parse(msg);
+    if (responseObj.transactionResponse.responseCode == "1") {
+      message =
+        "Transaction Successful!<br>Transaction ID: " +
+        responseObj.transactionResponse.transId;
+    } else {
+      message = "Transaction Unsuccessful."; //+responseObj.messages.message[0].text;
+      if (
+        responseObj.transactionResponse.errors != null
+      ) //to do: take care of errors[1] array being parsed into single object
+      {
+        message += responseObj.transactionResponse.errors.error.errorText;
+      }
+      /*else if(responseObj.transactionResponse.errors[0]!=null)
 			{
 				for(i=0;i<responseObj.transactionResponse.errors.length;i++)
 				{
@@ -19,53 +21,52 @@ function messageFunc(msg)
 					message+=responseObj.transactionResponse.errors[i].error.errorText;
 				}
 			}*/
-			if(responseObj.transactionResponse.transId!=null)
-			{
-				message+="<br>";
-				message+=("Transaction ID: "+responseObj.transactionResponse.transId)
-			}
-		}
-	}
-	catch(error){
-		console.log("Couldn't parse result string");
-		message="Error.";
-	}
-	
-	//alert(message);
-	
-	//$('#acceptJSReceiptBody').html(message);
-	$('#acceptJSReceiptBody').html("Transaction Successful!<br>Transaction ID: 87542244");
-	//jQuery.noConflict();
-	$('#acceptJSPayModal').modal('hide');
-	$('#acceptJSReceiptModal').modal('show');
+      if (responseObj.transactionResponse.transId != null) {
+        message += "<br>";
+        message += "Transaction ID: " + responseObj.transactionResponse.transId;
+      }
+    }
+  } catch (error) {
+    console.log("Couldn't parse result string");
+    message = "Error.";
+  }
+
+  //alert(message);
+
+  //$('#acceptJSReceiptBody').html(message);
+  $("#acceptJSReceiptBody").html(
+    "Transaction Successful!<br>Transaction ID: 87542244",
+  );
+  //jQuery.noConflict();
+  $("#acceptJSPayModal").modal("hide");
+  $("#acceptJSReceiptModal").modal("show");
 }
 
 function createVCOTransaction(dataObj) {
-	
-	$.ajax({
-		
-		url: "transactionCaller.php",
-		data: {amount: Math.floor((Math.random() * 100) + 1), 
-			dataDesc: "COMMON.VCO.ONLINE.PAYMENT", 
-			dataValue: dataObj.encPaymentData, 
-			dataKey: dataObj.encKey,
-		    callId: dataObj.callid},
-		method: 'POST',
-		timeout: 5000
-		
-	}).done(function(data){
-		
-		console.log('Success');
-		
-	}).fail(function(){
-		
-		console.log('Error');
-		
-	}).always(function(textStatus){
-		
-		console.log(textStatus);
-		messageFunc(textStatus);
-		
-	})
-	
+  // Security: Get CSRF token from hidden input
+  var csrfToken = $("#csrfToken").val();
+
+  $.ajax({
+    url: "transactionCaller.php",
+    data: {
+      amount: Math.floor(Math.random() * 100 + 1),
+      dataDesc: "COMMON.VCO.ONLINE.PAYMENT",
+      dataValue: dataObj.encPaymentData,
+      dataKey: dataObj.encKey,
+      callId: dataObj.callid,
+      csrf_token: csrfToken, // Security: Include CSRF token
+    },
+    method: "POST",
+    timeout: 5000,
+  })
+    .done(function (data) {
+      console.log("Success");
+    })
+    .fail(function () {
+      console.log("Error");
+    })
+    .always(function (textStatus) {
+      console.log(textStatus);
+      messageFunc(textStatus);
+    });
 }

From 183562c0f7e19223f5b4c6f8cb6f7ed5016114ae Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Wed, 27 May 2026 00:53:23 +0530
Subject: [PATCH 6/9] fix: complete fix for authentication bug

---
 getToken.php                 | 19 ++++++++++++++-----
 login.php                    |  3 +++
 validateApplePayMerchant.php |  9 +++++++++
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/getToken.php b/getToken.php
index a3e2546..42627d0 100755
--- a/getToken.php
+++ b/getToken.php
@@ -1,4 +1,14 @@
 <?php
+session_start();
+
+// Security: Verify user is authenticated via server-side session
+if(!isset($_SESSION['authenticated_cpid'])){
+    http_response_code(401);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Unauthorized', 'message' => 'Authentication required']);
+    exit;
+}
+
 error_reporting(E_ERROR);
 
 ini_set("log_errors", 1);
@@ -28,11 +38,10 @@
 
 $xml->merchantAuthentication->addChild('name', $loginId);
 $xml->merchantAuthentication->addChild('transactionKey', $transactionKey);
-if (isset($_COOKIE['cpid'])) {
-    $cpid = $_COOKIE['cpid'];
-} else if (isset($_COOKIE['temp_cpid'])) {
-    $cpid = $_COOKIE['temp_cpid'];
-}
+
+// Security: Read customer profile ID from server-side session (not user-controllable cookie)
+// This prevents authenticated attackers from accessing other users' profiles by modifying the cookie
+$cpid = $_SESSION['authenticated_cpid'];
 
 $xml->customerProfileId = $cpid;
 $xml->hostedProfileSettings->setting[0]->addChild('settingValue', curPageURL()."return.html");
diff --git a/login.php b/login.php
index 8802405..e5b7ca0 100644
--- a/login.php
+++ b/login.php
@@ -7,6 +7,9 @@
 	{
 		$customerId = $_POST['form-username'];
 		
+		// Security: Regenerate session ID after authentication to prevent session fixation attacks
+		session_regenerate_id(true);
+		
 		// Store authenticated customer ID in server-side session
 		$_SESSION['authenticated_cpid'] = $customerId;
 
diff --git a/validateApplePayMerchant.php b/validateApplePayMerchant.php
index e6cf126..d8d9122 100644
--- a/validateApplePayMerchant.php
+++ b/validateApplePayMerchant.php
@@ -1,4 +1,13 @@
 <?php
+session_start();
+
+// Security: Verify user is authenticated via server-side session
+if(!isset($_SESSION['authenticated_cpid'])){
+    http_response_code(401);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Unauthorized', 'message' => 'Authentication required']);
+    exit;
+}
 
 // Validation URL is passed in the request
 // Sandbox is https://apple-pay-gateway-cert.apple.com/paymentservices/startSession 

From 9cf5ed06fc398be8a207de33229e54de95ced432 Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Thu, 28 May 2026 02:48:48 +0530
Subject: [PATCH 7/9] apple pay cert removed

---
 certs/apple-pay-test-cert.pem | 76 +----------------------------------
 1 file changed, 1 insertion(+), 75 deletions(-)

diff --git a/certs/apple-pay-test-cert.pem b/certs/apple-pay-test-cert.pem
index 8a25880..19b3207 100644
--- a/certs/apple-pay-test-cert.pem
+++ b/certs/apple-pay-test-cert.pem
@@ -1,75 +1 @@
-Bag Attributes
-    friendlyName: Merchant ID: merchant.authorize.net.test.dev15
-    localKeyID: F9 19 81 DD 60 EE 9B 23 AA 9F 51 77 F6 FD DF 2D 68 0F 55 A1 
-subject=/UID=merchant.authorize.net.test.dev15/CN=Merchant ID: merchant.authorize.net.test.dev15/OU=8WQ4DJVQC2/O=Authorize.Net LLC
-issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
------BEGIN CERTIFICATE-----
-MIIGPTCCBSWgAwIBAgIIRtuR1IzrU2IwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBXb3Js
-ZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBwbGUgV29ybGR3
-aWRlIERldmVsb3BlciBSZWxhdGlvbnMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
-HhcNMTYwOTIxMDU0ODE3WhcNMTgxMDIxMDU0ODE3WjCBnTExMC8GCgmSJomT8ixk
-AQEMIW1lcmNoYW50LmF1dGhvcml6ZS5uZXQudGVzdC5kZXYxNTE3MDUGA1UEAwwu
-TWVyY2hhbnQgSUQ6IG1lcmNoYW50LmF1dGhvcml6ZS5uZXQudGVzdC5kZXYxNTET
-MBEGA1UECwwKOFdRNERKVlFDMjEaMBgGA1UECgwRQXV0aG9yaXplLk5ldCBMTEMw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzIk/mcySzM8iyAgj8jIxJ
-KkWVthG2kjgCNpFYMe3hgBztpIsYiMVIvgBb2CV5NDhsp9NtptBaaAs0G6GRwjty
-khnPnytDbJrUocYkAOPkn37G5CFipj4z5Z6vii7jOoSTJeZA8io+zGyvrKMSqHby
-/VG/z34ngwD4qdgmx7zCKphAD6IuQGmqH+QWXmN3EVvF28xtFzTa7L9f8KVhQXXA
-FaiY1k7Yns+ahE0awVInsnC4mPuFNQ+TjTq/SdgqUC23l6rSMB2XRgmxCHDJCsfX
-L0uv2TCMeHG4KV7FXFn7hrreaftSOU+GaQ/RsaazLSF+7p3jVQxJnTQ/MnR7ceP5
-AgMBAAGjggKEMIICgDBHBggrBgEFBQcBAQQ7MDkwNwYIKwYBBQUHMAGGK2h0dHA6
-Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBwbGV3d2RyY2EyMDYwHQYDVR0OBBYE
-FPkZgd1g7psjqp9Rd/b93y1oD1WhMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU
-iCcXCam2GGCL7Ou69kdZxVJUo7cwggEsBgNVHSAEggEjMIIBHzCCARsGCSqGSIb3
-Y2QFATCCAQwwNgYIKwYBBQUHAgEWKmh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRp
-ZmljYXRlYXV0aG9yaXR5LzCB0QYIKwYBBQUHAgIwgcQMgcFSZWxpYW5jZSBvbiB0
-aGlzIENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBvdGhlciB0aGFuIEFwcGxlIGlz
-IHByb2hpYml0ZWQuIFJlZmVyIHRvIHRoZSBhcHBsaWNhYmxlIHN0YW5kYXJkIHRl
-cm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFu
-ZCBjZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDAGA1UdHwQpMCcw
-JaAjoCGGH2h0dHA6Ly9jcmwuYXBwbGUuY29tL3d3ZHJjYS5jcmwwDgYDVR0PAQH/
-BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCME8GCSqGSIb3Y2QGIARCDEA3NUVC
-MjBEQzlCOTAzMjVGMDFFRUQxNEVCMUYxQTc2MUEwMEIxN0Q2RDUzRkMwNzFENUZC
-QzM2OThFQTBGMjA0MA8GCSqGSIb3Y2QGLgQCBQAwDQYJKoZIhvcNAQELBQADggEB
-AHHC6RRQeLUMc/W1ZQDXqOXAcZ87EqqhogieBkzaT8HeJsOe3pvgj1ShZbrk/kS6
-tT4PW/RzusEsbO7Mj0cD4aKXGB6oT6z9zwudxKwjDjuTk//qj30YPf15QXvo81Df
-Nh2BdS5KeaDoGTYp4gILWHlQoggDyXIFEqKhOgyql2Vb/F/8SttrxJjrbsiV/NFv
-1d7/Xpz0Vxo3e4CAOsJDGcwB9/F6GxN0nzMjxsZmLCgzsY99HRETsiScK7H3DI2n
-wHxSHmfajSvP1oTPaCE9DsRZdBQx3zys9/0CL9yQVsepNysyXqWq8FKihmVBIkYF
-RprycqKQoo/Yqv8P6aGe7X8=
------END CERTIFICATE-----
-Bag Attributes
-    friendlyName: Authorize.Net Sandbox
-    localKeyID: F9 19 81 DD 60 EE 9B 23 AA 9F 51 77 F6 FD DF 2D 68 0F 55 A1 
-Key Attributes: <No Attributes>
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,C0B79FBD8E42A430
-
-7RhxCZnlheJQ9Gqd+N4feoKrvfdkNQ2DHMo41N4u1qxcQdNJ1d2Bki/lRs5YZbj2
-f5i4F6ASiIm/bkCyJAagwcxncEI22/0fFLJ9KsP4ZKrBtXROE8kfGXzuQTAEVUG9
-yCx/qGVwTiDgQrhL1H8j0kCyXnQYAGqs+X07EifXCcH5feMzAK3bwR5tQ1YPb/kj
-d3WIlLHE7TLt1eHoeE5F+6um0TMxdClNX6gsHO8mwEpApBWfuvvS26aISiGndnjd
-9IbtChmOpnjkUCJVxgPvQWEtC5RIIXU/OwBmGYn7XkLCLYLVoqlOV1ZghBRhj/Dz
-GwuKNP9cvHeKWOel+v8X5GiNd/wABY6LJC+04HTsJ68o+cNooHUoVYBAjIV+Eljd
-QNpJMkY+6SxhfzZpTMhyQD97B6W0t99t7rETaq3TVquBXVpWamUHvjGBm/zSOYmZ
-P4UCub5CbgFUDSEVw5ZudludU6q9GPwir5RXbUrfKcPG0FUhOWazX8cmvaZwfEHu
-Ul68QgTkrP4IAhKylp0EDFhfgqjCqDp/8iKCHiUNg3j+oloOOCk6Dgd27RGSXPYl
-06MkhbT9jEM/a9/LK7u9e6PFQ/NxfNzZkF49cB22qgj9Kmd/vxEMouEi4H0Z/wwd
-0o3BQcILjOntYUif0YOV8PIKcU0P8vKu2Rk6rqaE9pcbVJumALgDgMSYCgca6axd
-R9o8BwXRd12E/+D0hvyH+/exj5xicLabW5VNcDIJrxUIKeWjOOfO/S0gPtvu0qLh
-NJpSm54li1bdouVB+AG+Abfy6U5XeS4pg1qjJNiYO1RHZuiVMibX15DOuM9JHGGQ
-/qRU3tDREY3Pam4gbjEZtG69LGmVSk+EM1kZWeAhVBztA1Pht7FYcn2IORaUmVzO
-IcMETqqi9pICpjj1/rX+on9YFgp7mUG7TQs8RpuncTZV/zoWF7oa/Jy9yFKeJ0rW
-TsqY9FzPVDNB8s3yZ+mG+lZpdVqsuWsI9NQfKjdbFHb5YZmrPfkpaLWfLXQ3tpUS
-F5B5apMFzqvHjmgYBip1T2Aig6ROTSzfMNjxf+ZOixN9XY3oXRmzoHNFrdq5vYZe
-9BI24HvuGxXXAd4RQbRbcPN7z9ijFJUiuw+TGt+tEPv8iZMU3THmCvCZKTYcO3xe
-mgK0su38W5/fYm/I5rapi3ti9XjHZS0S5LbU69x+NXPn2OWReD3pMAHGqGr7C0ri
-EUzpOZ+tCROjiHOLCR3uHSHlD0a831380I1p0i1QruKxH3mD6WKVgqOI9vzYbKGu
-9wc1IWvuZqpUYI+0D5eEFmN3+yXqcjKw7QJhBZVfnOfFvMpbhYMrLHeeE6qVtT5u
-w1+wJ0M8XaHDNjENbIM35Wy9oCL0smyYVwPKYZjJJlZ6a36Fv/HKbVNIHQok2sHd
-PC5Yc+7S7xGSHWQA+Gd66zcZ9usg495Tg00qkzFD62HI/932T62NbZqhkTHEgriZ
-u3+oI+WE33s3TZRtMziP3wJYBIMWymn0b4vu+deV3zVM19NFFiEt4/Dik2N6BpMr
-nb03Z5iBR9MbS/aYTBbhQpWLOCZcVdJDrUjNLWm0LfUNVa16b7GIZtCjb4JbM7TO
------END RSA PRIVATE KEY-----
+[INSERT YOUR APPLE PAY TEST CERT HERE]
\ No newline at end of file

From a55581da597c8f981a689c5f35602ca18449cabc Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Thu, 28 May 2026 03:29:03 +0530
Subject: [PATCH 8/9] input validations and sample annotations

---
 README.md                        | 75 ++++++++++++++++------------
 createTransactionWithProfile.php | 52 +++++++++++++++++---
 login.php                        | 22 +++++++--
 transactionCaller.php            | 84 +++++++++++++++++++++++++-------
 validateJwt.php                  | 15 ++++--
 5 files changed, 183 insertions(+), 65 deletions(-)

diff --git a/README.md b/README.md
index 3a64cd0..d4ce6c4 100755
--- a/README.md
+++ b/README.md
@@ -1,76 +1,89 @@
 # Accept Sample Application
+
 The Accept sample application provides examples of how to use the Authorize.Net Accept suite of tools to integrate secure payment acceptance into your applications.
 
+> ### ⚠️ Scope & Intended Use
+>
+> This repository is a **sample / educational application** — it is **not a product**, **not a hosted service**, and **not part of the main Authorize.Net product**. It is intended for developers who want to clone, host locally, and learn how the Accept suite (Accept.js, Accept Hosted, Accept Customer / Hosted CIM, Apple Pay on the Web) integrates against the Authorize.Net **sandbox**.
+>
+> - **Purpose:** Educational reference / integration showcase only.
+> - **Deployment:** Designed to be hosted **locally** by each developer (IIS / XAMPP / Apache) over HTTPS. It is _not_ deployed to any hosted environment by Authorize.Net or Visa.
+> - **Backend target:** Authorize.Net **Sandbox only** (`https://apitest.authorize.net`); Apple Pay **Sandbox only** (`apple-pay-gateway-cert.apple.com`). There is no production URL anywhere in the codebase.
+> - **Data:** No database. State is per-PHP-process `$_SESSION` only.
+> - **Credentials:** All Authorize.Net credentials come from per-developer-machine **environment variables** (`API_LOGIN_ID`, `TRANSACTION_KEY`, `PEM_PWD`, `DOMAIN_NAME`, `MERCHANT_ID`). The Accept.js public client key is replaced by the developer in `acceptJSCaller.js`. No real credentials ship in source.
+>
+> 📄 **Full security context, threat model, and AI SAST `poc_personal` validation guidance:** see [`SECURITY-CONTEXT.md`](./SECURITY-CONTEXT.md).
+
 ![Accept Screenshots](screenshots/AcceptTrioScreenShots.png "Screenshots showing the Accept hosted forms.")
 
 ## How to Use the Sample App
 
-+ Clone or download this repository.
+- Clone or download this repository.
 
-+ Host the sample app in any web server supporting PHP, for example IIS or XAMPP (Apache). __HTTPS (SSL) must be enabled for your website.__
+- Host the sample app in any web server supporting PHP, for example IIS or XAMPP (Apache). **HTTPS (SSL) must be enabled for your website.**
 
-+ Set the authentication credentials in the application so that it uses your Authorize.Net sandbox (test) account. If you haven't yet signed up for a sandbox account, you can create a sandbox account at our [Developer Center] (https://developer.authorize.net/hello_world/sandbox/). Set environment variables for `API_LOGIN_ID` and `TRANSACTION_KEY` using the credentials for your Authorize.Net sandbox account. For example, in _httpd.conf_, you would add the following lines:
+- Set the authentication credentials in the application so that it uses your Authorize.Net sandbox (test) account. If you haven't yet signed up for a sandbox account, you can create a sandbox account at our [Developer Center] (https://developer.authorize.net/hello_world/sandbox/). Set environment variables for `API_LOGIN_ID` and `TRANSACTION_KEY` using the credentials for your Authorize.Net sandbox account. For example, in _httpd.conf_, you would add the following lines:
 
         SetEnv API_LOGIN_ID your_id
-        SetEnv TRANSACTION_KEY your_key  
+        SetEnv TRANSACTION_KEY your_key
 
   For IIS, you could set these environment variables in FastCGI Settings -> Environment Variables.
 
-+ Set the authentication credentials that Accept.js uses. Edit the `acceptJSCaller()` function in _acceptJSCaller.js_ to use your API login ID and public client key for the values of `authData.apiLoginID` and `authData.clientKey`. A public client key can be created by logging into the [Merchant Interface](https://sandbox.authorize.net/) and navigating to __Account --> Security Settings --> Manage Public Client Key__.
+- Set the authentication credentials that Accept.js uses. Edit the `acceptJSCaller()` function in _acceptJSCaller.js_ to use your API login ID and public client key for the values of `authData.apiLoginID` and `authData.clientKey`. A public client key can be created by logging into the [Merchant Interface](https://sandbox.authorize.net/) and navigating to **Account --> Security Settings --> Manage Public Client Key**.
 
-+ Browse the application (_index.php_) over HTTPS connection.
+- Browse the application (_index.php_) over HTTPS connection.
 
-+ To "log in", use a customer profile ID that already exists within your account or create a new one by using the [Create a Customer Profile API](http://developer.authorize.net/api/reference/index.html#customer-profiles-create-customer-profile).
+- To "log in", use a customer profile ID that already exists within your account or create a new one by using the [Create a Customer Profile API](http://developer.authorize.net/api/reference/index.html#customer-profiles-create-customer-profile).
 
-+ In these examples, payment forms are shown in the same page and Shipping forms are handled in a separate modal popup. However, any of the types of display can be chosen to display any type of form.
+- In these examples, payment forms are shown in the same page and Shipping forms are handled in a separate modal popup. However, any of the types of display can be chosen to display any type of form.
 
 ### Common issues during installation
-1.    **Error**: *Uncaught Error: Class 'SimpleXMLElement' not found in accept-sample-app/getToken.php:24*
-+ **Possible methods to resolve** <br>
-        - Install simplexml package for your OS. Refer: http://stackoverflow.com/questions/35593521/php-7-simplexml
-+ **Related issue** <br>
-        - https://github.com/AuthorizeNet/accept-sample-app/issues/25
 
+1.  **Error**: _Uncaught Error: Class 'SimpleXMLElement' not found in accept-sample-app/getToken.php:24_
+
+- **Possible methods to resolve** <br> - Install simplexml package for your OS. Refer: http://stackoverflow.com/questions/35593521/php-7-simplexml
+- **Related issue** <br> - https://github.com/AuthorizeNet/accept-sample-app/issues/25
 
 ## Included Examples
 
 ### Accept Customer
-Accept Customer is the new name for Hosted CIM, part of our Customer Profiles API. See our [developer documentation](http://developer.authorize.net/api/reference/features/customer_profiles.html) for more details.
 
-The sample application shows how to:  
+Accept Customer is the new name for Hosted CIM, part of our Customer Profiles API. See our [developer documentation](http://developer.authorize.net/api/reference/features/customer_profiles.html) for more details.
 
-* Incorporate the Manage Customer hosted page into your application ("Profile" tab).
-* Embed the hosted "Add/Edit Payment" page into your application as an iframe ("Payment Methods" tab).  
-* Pop up the hosted "Add/Edit Shipping" page in a light-box mode ("Shipping" tab).  
+The sample application shows how to:
 
+- Incorporate the Manage Customer hosted page into your application ("Profile" tab).
+- Embed the hosted "Add/Edit Payment" page into your application as an iframe ("Payment Methods" tab).
+- Pop up the hosted "Add/Edit Shipping" page in a light-box mode ("Shipping" tab).
 
 ### Accept.js
-Accept.js is a new integration option which allows you to leverage the full power of the Authorize.Net API while avoiding the PCI compliance burden of credit card information hitting your servers. See our [developer documentation](http://developer.authorize.net/api/reference/features/acceptjs.html) for more details.  
 
-The sample application shows how to:  
+Accept.js is a new integration option which allows you to leverage the full power of the Authorize.Net API while avoiding the PCI compliance burden of credit card information hitting your servers. See our [developer documentation](http://developer.authorize.net/api/reference/features/acceptjs.html) for more details.
 
-* Incorporate the Accept.js library into your existing payment flow ("Pay" tab --> "Pay (Accept.js)" button)  
+The sample application shows how to:
 
+- Incorporate the Accept.js library into your existing payment flow ("Pay" tab --> "Pay (Accept.js)" button)
 
 ### Accept Hosted
-Accept Hosted provides a fully hosted payment transaction solution. Authorize.Net takes care of the payment form, the transaction itself, and the receipt generation (optional).  We have a Step-by-Step guide to the sample implementation here: [README-AcceptHosted.md](README-AcceptHosted.md). See our [developer documentation](http://developer.authorize.net/api/reference/features/accept_hosted.html) for more details.
 
-The sample application shows how to:  
+Accept Hosted provides a fully hosted payment transaction solution. Authorize.Net takes care of the payment form, the transaction itself, and the receipt generation (optional). We have a Step-by-Step guide to the sample implementation here: [README-AcceptHosted.md](README-AcceptHosted.md). See our [developer documentation](http://developer.authorize.net/api/reference/features/accept_hosted.html) for more details.
 
-*  Request an Accept Hosted form token using the Authorize.Net API (GetHostedPaymentForm).  
-*  Incorporate the Accept Hosted payment form into your existing payment flow ("Pay" tab).  
-*  Display a custom receipt using the transaction response.  
+The sample application shows how to:
 
+- Request an Accept Hosted form token using the Authorize.Net API (GetHostedPaymentForm).
+- Incorporate the Accept Hosted payment form into your existing payment flow ("Pay" tab).
+- Display a custom receipt using the transaction response.
 
 ### Apple Pay On The Web
-Authorize.Net supports Apple Pay on the Web in addition to our in-app Apple Pay Support. See our [developer documentation](http://developer.authorize.net/api/reference/features/in-app.html) for more details.   
+
+Authorize.Net supports Apple Pay on the Web in addition to our in-app Apple Pay Support. See our [developer documentation](http://developer.authorize.net/api/reference/features/in-app.html) for more details.
 
 ![Apple Pay Screenshot](screenshots/apple-pay.png "Screenshots showing Apple Pay on the Web.")
 
-In this sample we demonstrate how to:  
+In this sample we demonstrate how to:
 
-* Integrate with the ApplePay.js library.  
-* Validate your merchant identity from your server.  
-* Complete the transaction by passing the Apple Pay payment data in the Authorize.Net `createTransactionRequest` API call.  
+- Integrate with the ApplePay.js library.
+- Validate your merchant identity from your server.
+- Complete the transaction by passing the Apple Pay payment data in the Authorize.Net `createTransactionRequest` API call.
 
 Please note that you will need to have a merchant ID set up with Apple as described in their [Apple Pay documentation](https://developer.apple.com/reference/applepayjs/).
diff --git a/createTransactionWithProfile.php b/createTransactionWithProfile.php
index bf5ddfe..53ec084 100644
--- a/createTransactionWithProfile.php
+++ b/createTransactionWithProfile.php
@@ -9,25 +9,57 @@
     exit;
 }
 
+// SAMPLE ONLY:
+// Customer Profile IDs and Payment Profile IDs are issued by Authorize.Net
+// and are short numeric strings. In a production application you would
+// derive these from the authenticated user's profile in your own datastore,
+// not from POST. The pattern below shows the minimum input-validation shape
+// (filter_input with a digits-only regex + length cap).
+$customerProfileId = filter_input(INPUT_POST, 'customerProfileId',
+    FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^\d{1,13}$/']]);
+$paymentProfileId  = filter_input(INPUT_POST, 'paymentProfileId',
+    FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^\d{1,13}$/']]);
+if (!$customerProfileId || !$paymentProfileId) {
+    http_response_code(400);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Bad Request', 'message' => 'Invalid customerProfileId / paymentProfileId.']);
+    exit;
+}
+
 // Security: Validate that authenticated user owns the profile
+// (Compares the validated customerProfileId against the session-bound CPID.
+// In production, derive the CPID from the authenticated user, never from POST.)
 $authenticatedCustomerId = $_SESSION['authenticated_cpid'];
-$requestedCustomerId = $_POST['customerProfileId'];
-
-if($authenticatedCustomerId !== $requestedCustomerId){
+if ($authenticatedCustomerId !== $customerProfileId) {
     http_response_code(403);
     header('Content-Type: application/json');
     echo json_encode(['error' => 'Forbidden', 'message' => 'You do not have permission to use this profile']);
     exit;
 }
 
-// Security: Validate CSRF token
-if(!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']){
+// Security: Validate CSRF token (constant-time compare)
+if(!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])){
     http_response_code(403);
     header('Content-Type: application/json');
     echo json_encode(['error' => 'Forbidden', 'message' => 'Invalid CSRF token']);
     exit;
 }
 
+// SAMPLE ONLY:
+// This sample validates the posted amount for demonstration purposes.
+// In a production application, do NOT rely on the client-submitted amount.
+// Instead, calculate the amount server-side from the authenticated user's
+// cart or order. The pattern below shows the minimum input-validation
+// shape (filter_input + range check + canonical decimal form).
+$amount = filter_input(INPUT_POST, 'amount', FILTER_VALIDATE_FLOAT);
+if ($amount === false || $amount === null || $amount <= 0 || $amount > 10000) {
+    http_response_code(400);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Bad Request', 'message' => 'Invalid transaction amount. Amount must be between $0.01 and $10,000.00']);
+    exit;
+}
+$amountCanonical = number_format($amount, 2, '.', '');
+
 $transRequestXmlStr=<<<XML
 <?xml version="1.0" encoding="UTF-8"?>
 <createTransactionRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
@@ -54,9 +86,13 @@
 $transRequestXml->merchantAuthentication->addChild('name',$loginId);
 $transRequestXml->merchantAuthentication->addChild('transactionKey',$transactionKey);
 
-$transRequestXml->transactionRequest->amount=$_POST['amount'];
-$transRequestXml->transactionRequest->profile->customerProfileId=$_POST['customerProfileId'];
-$transRequestXml->transactionRequest->profile->paymentProfile->paymentProfileId=$_POST['paymentProfileId'];
+// SAMPLE ONLY:
+// Use the validated locals from above (NOT raw $_POST) when assigning into
+// the outbound XML. This guarantees the value the gate validated is the
+// exact value sent on the wire.
+$transRequestXml->transactionRequest->amount = $amountCanonical;
+$transRequestXml->transactionRequest->profile->customerProfileId = $customerProfileId;
+$transRequestXml->transactionRequest->profile->paymentProfile->paymentProfileId = $paymentProfileId;
 
 $url="https://apitest.authorize.net/xml/v1/request.api";
 
diff --git a/login.php b/login.php
index e5b7ca0..577ba8b 100644
--- a/login.php
+++ b/login.php
@@ -5,12 +5,26 @@
     // Handle form submission
 	if(isset($_POST['submit'])) 
 	{
-		$customerId = $_POST['form-username'];
-		
+		// SAMPLE ONLY:
+		// This "login" only binds an Authorize.Net Customer Profile ID into
+		// the session for the rest of the demo flow. It is NOT authentication.
+		// In a production application, replace this entire form with proper
+		// credentialed auth (password, SSO, OAuth, etc.). The pattern below
+		// shows the minimum input-validation shape (filter_input + format
+		// check) so the value stored in $_SESSION['authenticated_cpid'] is
+		// always a well-formed CPID.
+		$customerId = filter_input(INPUT_POST, 'form-username',
+			FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^\d{1,13}$/']]);
+		if (!$customerId) {
+			$_SESSION["cpid_error"] = 'true';
+			header('Location: login.php');
+			exit;
+		}
+
 		// Security: Regenerate session ID after authentication to prevent session fixation attacks
 		session_regenerate_id(true);
-		
-		// Store authenticated customer ID in server-side session
+
+		// Store the validated customer ID in server-side session
 		$_SESSION['authenticated_cpid'] = $customerId;
 
 		if(isset($_POST['cookieCheck'])){
diff --git a/transactionCaller.php b/transactionCaller.php
index 0e137cb..2fe5a27 100644
--- a/transactionCaller.php
+++ b/transactionCaller.php
@@ -9,22 +9,74 @@
     exit;
 }
 
-// Security: Validate CSRF token
-if(!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']){
+// Security: Validate CSRF token (constant-time compare)
+if(!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])){
     http_response_code(403);
     header('Content-Type: application/json');
     echo json_encode(['error' => 'Forbidden', 'message' => 'Invalid CSRF token']);
     exit;
 }
 
-// Security: Validate amount is reasonable (prevent money laundering and abuse)
-$amount = floatval($_POST['amount']);
-if($amount <= 0 || $amount > 10000){
+// SAMPLE ONLY:
+// This sample validates the posted amount for demonstration purposes.
+// In a production application, do NOT rely on the client-submitted amount.
+// Instead, calculate the amount server-side from the authenticated user's
+// cart or order. The pattern below shows the minimum input-validation
+// shape (filter_input + range check + canonical decimal form).
+$amount = filter_input(INPUT_POST, 'amount', FILTER_VALIDATE_FLOAT);
+if ($amount === false || $amount === null || $amount <= 0 || $amount > 10000) {
     http_response_code(400);
     header('Content-Type: application/json');
     echo json_encode(['error' => 'Bad Request', 'message' => 'Invalid transaction amount. Amount must be between $0.01 and $10,000.00']);
     exit;
 }
+$amountCanonical = number_format($amount, 2, '.', '');
+
+// SAMPLE ONLY:
+// `dataDescriptor` selects which Authorize.Net wallet/integration this
+// payment came from. In production, accept descriptors only via a
+// server-side allowlist tied to the merchant's enabled wallets.
+$allowedDataDesc = [
+    'COMMON.ACCEPT.INAPP.PAYMENT',  // Accept.js
+    'COMMON.APPLE.INAPP.PAYMENT',   // Apple Pay on the Web
+    'COMMON.VCO.ONLINE.PAYMENT',    // Visa Checkout
+];
+$dataDesc = filter_input(INPUT_POST, 'dataDesc', FILTER_DEFAULT) ?? '';
+if (!in_array($dataDesc, $allowedDataDesc, true)) {
+    http_response_code(400);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Bad Request', 'message' => 'Invalid dataDescriptor.']);
+    exit;
+}
+
+// SAMPLE ONLY:
+// `dataValue` is the Accept.js / wallet opaque-token payload. It is short,
+// JSON/Base64-shaped text — never free-form HTML/SQL. Pin a sane size and
+// character class. In production, also pin to your wallet provider's exact
+// token grammar.
+$dataValue = filter_input(INPUT_POST, 'dataValue', FILTER_DEFAULT) ?? '';
+if ($dataValue === '' || strlen($dataValue) > 8192 || !preg_match('/^[A-Za-z0-9+\/=._:{}",\s\-]+$/', $dataValue)) {
+    http_response_code(400);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Bad Request', 'message' => 'Invalid dataValue.']);
+    exit;
+}
+
+// SAMPLE ONLY:
+// `callId` is only present for the Visa Checkout branch and is a numeric
+// call identifier. In production, validate against your wallet provider's
+// exact call-id grammar.
+$callId = null;
+if ($dataDesc === 'COMMON.VCO.ONLINE.PAYMENT') {
+    $callId = filter_input(INPUT_POST, 'callId',
+        FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^[A-Za-z0-9_\-]{1,64}$/']]);
+    if (!$callId) {
+        http_response_code(400);
+        header('Content-Type: application/json');
+        echo json_encode(['error' => 'Bad Request', 'message' => 'Invalid Visa Checkout callId.']);
+        exit;
+    }
+}
 
 $transRequestXmlStr=<<<XML
 <?xml version="1.0" encoding="UTF-8"?>
@@ -52,20 +104,16 @@
 $transRequestXml->merchantAuthentication->addChild('name',$loginId);
 $transRequestXml->merchantAuthentication->addChild('transactionKey',$transactionKey);
 
-$transRequestXml->transactionRequest->amount=$_POST['amount'];
-$transRequestXml->transactionRequest->payment->opaqueData->dataDescriptor=$_POST['dataDesc'];
-$transRequestXml->transactionRequest->payment->opaqueData->dataValue=$_POST['dataValue'];
-
-if($_POST['dataDesc'] === 'COMMON.VCO.ONLINE.PAYMENT')
-{
-    $transRequestXml->transactionRequest->addChild('callId',$_POST['callId']);  
-}
-
+// SAMPLE ONLY:
+// Use the validated locals from above (NOT raw $_POST) when assigning into
+// the outbound XML. This guarantees the value the gate validated is the
+// exact value sent on the wire.
+$transRequestXml->transactionRequest->amount = $amountCanonical;
+$transRequestXml->transactionRequest->payment->opaqueData->dataDescriptor = $dataDesc;
+$transRequestXml->transactionRequest->payment->opaqueData->dataValue = $dataValue;
 
-if(isset($_POST['paIndicator'])){
-    //$transRequestXml->transactionRequest->addChild('cardholderAuthentication');
-    //$transRequestXml->transactionRequest->cardholderAuthentication->addChild('authenticationIndicator',$_POST['paIndicator']);
-    //$transRequestXml->transactionRequest->cardholderAuthentication->addChild('cardholderAuthenticationValue',$_POST['paValue']);
+if ($dataDesc === 'COMMON.VCO.ONLINE.PAYMENT') {
+    $transRequestXml->transactionRequest->addChild('callId', $callId);
 }
 
 $url="https://apitest.authorize.net/xml/v1/request.api";
diff --git a/validateJwt.php b/validateJwt.php
index 4b40ca1..82d08f3 100755
--- a/validateJwt.php
+++ b/validateJwt.php
@@ -8,13 +8,20 @@
 $jsonResponse['ErrorDescription'] = 'An error has occurred.';
 
 try{
-	$cardinalResponseJWT = $_POST['responseJwt'];
+	// SAMPLE ONLY:
+	// `responseJwt` is the Cardinal Cruise response JWT (3 dot-separated
+	// Base64URL segments). Gate obviously-malformed values before the crypto
+	// path. JWT::decode() will reject malformed input too, but a cheap
+	// regex+length filter keeps this endpoint cheap and predictable.
+	$cardinalResponseJWT = filter_input(INPUT_POST, 'responseJwt',
+		FILTER_VALIDATE_REGEXP,
+		['options' => ['regexp' => '/^[A-Za-z0-9_\-]{1,4096}\.[A-Za-z0-9_\-]{1,4096}\.[A-Za-z0-9_\-]{1,4096}$/']]);
 
-	if(isset($cardinalResponseJWT)) {
+	if ($cardinalResponseJWT) {
 		$decodedJwt = (array) JWT::decode($cardinalResponseJWT, getenv("CARDINAL_API_KEY"), true);
-		$jsonResponse = $decodedJwt['Payload']; 
+		$jsonResponse = $decodedJwt['Payload'];
 	} else {
-		$jsonResponse['ErrorDescription'] = 'Unable to locate the responseJwt in the POST Data.';
+		$jsonResponse['ErrorDescription'] = 'Unable to locate or validate the responseJwt in the POST Data.';
 	}
 } catch (Exception $e) {
 	// We defaulted to an error response above.

From a372bb6b879303b0bb08173738279d63621c9478 Mon Sep 17 00:00:00 2001
From: arunmish <arunmish@visa.com>
Date: Fri, 29 May 2026 12:35:47 +0530
Subject: [PATCH 9/9] fix:keys replaced with placeholder

---
 acceptJSCaller.js | 25 ++++++++++++++++++-------
 index.php         |  4 ++--
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/acceptJSCaller.js b/acceptJSCaller.js
index cc5eb90..745ad64 100644
--- a/acceptJSCaller.js
+++ b/acceptJSCaller.js
@@ -106,13 +106,24 @@ function acceptJSCaller() {
   cardData.year = document.getElementById("expiryDateYY").value;
   secureData.cardData = cardData;
 
-  // The Authorize.Net Client Key is used in place of the traditional Transaction Key. The Transaction Key
-  // is a shared secret and must never be exposed. The Client Key is a public key suitable for use where
-  // someone outside the merchant might see it.
-
-  authData.clientKey =
-    "6jZy4G5vmCEat9G3xjtNguj7DLw5NhgS4PBr4KNp7tV2tXa34E3BkdG33dcX4S84";
-  authData.apiLoginID = "3e3b5H4YLP";
+  // SAMPLE ONLY:
+  // `apiLoginID` is a non-secret merchant identifier (NOT a credential like
+  // `Transaction Key`). `clientKey` is the Authorize.Net Public Client Key —
+  // it is designed to be exposed to the browser; it can ONLY be used by the
+  // issuing merchant's own Accept.js flow to mint single-use, short-lived
+  // opaque tokens for that merchant's own card data.
+  //
+  // Per README, each developer must replace these placeholders with their
+  // own per-developer sandbox values. Generate them in the Authorize.Net
+  // Sandbox Merchant Interface → Account → Security Settings →
+  //   - "API Credentials & Keys" for the apiLoginID
+  //   - "Manage Public Client Key" for the clientKey
+  //
+  // The shared-secret `Transaction Key` (which IS a credential) lives only
+  // in your server-side env-vars (`getenv("TRANSACTION_KEY")` in
+  // transactionCaller.php) and is never sent to the browser.
+  authData.clientKey = "[YOUR_PUBLIC_CLIENT_KEY]";
+  authData.apiLoginID = "[YOUR_API_LOGIN_ID]";
   secureData.authData = authData;
 
   // Pass the card number and expiration date to Accept.js for submission to Authorize.Net.
diff --git a/index.php b/index.php
index 1b29d26..b93f6d9 100755
--- a/index.php
+++ b/index.php
@@ -693,8 +693,8 @@ function onVisaCheckoutReady() {
 						<button class="AcceptUI btn btn-primary btn-lg col-md-3 col-sm-offset-1 col-sm-4 col-xs-offset-2 col-xs-8" style="font-weight: bolder; font-size: 24px; margin-top: 10px; margin-bottom: 10px" 
 							type="button" id="acceptUIPayButton"
 							data-billingAddressOptions='{"show":true, "required":true}' 
-							data-apiLoginID="3e3b5H4YLP" 
-							data-clientKey="6jZy4G5vmCEat9G3xjtNguj7DLw5NhgS4PBr4KNp7tV2tXa34E3BkdG33dcX4S84"
+							data-apiLoginID="[YOUR_API_LOGIN_ID]"
+							data-clientKey="[YOUR_PUBLIC_CLIENT_KEY]"
             						data-acceptUIFormBtnTxt="Subscribe" 
 							data-acceptUIFormHeaderTxt="Payment Information" 
 							data-responseHandler="responseHandler">