matt warden wrote: >There are ways to be more secure... mainly by not involving the client in >the verification process. In other words, client to web server to >verification server back to the web server and back to the client with the >response. Here, we have the client directly interacting with the >verification server, which seems like just the easy way out. You got a point. There are actually several ways, as VeriSign is concerned, for information processing. The "easy-way-out" Is called Link Point. That's the scenario that I was taking about, at it is meant to be for small sites with less than $3000 in transactions per month. Needless to say that VeriSign uses in their setup proxy servers, so the client does not interact directly with the verification server. The result is also passed through a proxy server either to the client and /or optionally to the merchant web server that can then process the information depending on the result. Other option is their SDK that has quite a bit of flexibility as the setup is concerned and the information can be passed silently between the web server and the processing gateway. Other than that, they have integratrion packages for most OS and major cart software.