Note:
Any information passed through the customer's browser
can potentially be modified by the customer, or even by third parties to
fraudulently alter the transaction data. Therefore all transactional
information should not be passed through the browser in
a way that could potentially be modified (e.g. hidden form fields).
Transaction data should only be accepted once from a browser at the
point of input, and then kept in a way that does not allow others
to modify it (e.g. database, server session, etc.). Any transaction
information displayed to a customer, such as amount, should be passed
only as display information and the actual transactional data should be
retrieved from the secure source last thing at the point of processing
the transaction.