Hello. I am looking at the page /ecommerce/control/updateCheckoutOptions/quickcheckout, and see that you can set a "checkOutPaymentId" that is posted to /ecommerce/control/checkout. I've followed the code all the way to the payment gateway, but don't see any security verifying that the user didn't change the checkOutPaymentId to one that is not their own before posting. I assume I am missing something?
Thanks, Mason
