Note:
Any information passed through the customer's browser can potentially be modified by the customer, or even by third parties to fraudulently alter the transaction data. Therefore all transactional information should not be passed through the browser in a way that could potentially be modified (e.g. hidden form fields). Transaction data should only be accepted once from a browser at the point of input, and then kept in a way that does not allow others to modify it (e.g. database, server session, etc.). Any transaction information displayed to a customer, such as amount, should be passed only as display information and the actual transactional data should be retrieved from the secure source last thing at the point of processing the transaction.