[rsmith]

It seems very odd to me that the Verisign Payflow Pro module constructs hidden form fields in process_button() and then uses them in the before_process() to perform the credit card authorization. The customer could construct their own form, changing any values they want. I could create an order for $1,000.00, then build my own form and pay $0.01. The order will go thru. Why the round trip, shouldn't it just be pulling the information it needs on the before_process() from the session?

I'm guessing people double check the order with the payment or something.