You should consider the possibility of spoofed responses appearing to come from the authorization server. That could happen during DoS attacks on them, or man-in-the middle attack on you. It's not a cgi security matter in the narrow sense, but it certainly matters to the merchant.

After Compline,
Zaxo