topic Re: Which method to use: AIM, SIM, CIM, DPM??? in Integration and Testing

Which method to use: AIM, SIM, CIM, DPM???

DougE — Thu, 01 Sep 2011 21:04:06 GMT

I would like the follwing in order of priority:

no PCI issues, all data stored on Authorize.net servers
customization of the payment pages look and feel
customers to stay on my site (url and design)

Here is my take:

AIM can do 2 and 3, but not 1. It takes CC data and requires much stricter PCI standards.

SIM can do 1 and 2, but takes you away from your URL

CIM can do 1, 2 and 3

Not sure about DPM.

I am using ExpressionEngine and CartThrob if that matters...

Re: Which method to use: AIM, SIM, CIM, DPM???

TJPride — Fri, 02 Sep 2011 13:05:31 GMT

If you want people to stay on your site, I think that eliminates SIM. You're then left with AIM and CIM and maybe DPM. All of those collect credit card data on your site, of course, so you then run into PCI - however, none actually store credit card info on your site, so the impact of PCI is pretty much limited to password security and who has access to the hosting. Things which you should be handling anyway.

If you're just processing single charges, I would recommend AIM. If you're processing subscriptions, CIM. As far as PCI goes, certainly look over the rules, but don't go nuts worrying about it unless your client requires formal PCI certification or something. Nobody's going to steal credit cards off your site unless they get into the hosting, and if they get into the hosting, no amount of security is going to save you vs a good hacker.

Re: Which method to use: AIM, SIM, CIM, DPM???

larrykluger — Fri, 02 Sep 2011 17:41:39 GMT

@TJPride, your info on DPM is out of date.

DPM or CIM are the ways to go since it gives you all three of your requirements.

It is NOT true that DBM collects credit card data on your site. What happens is that your site provides the "please enter your credit card number" page to the customer's browser. BUT, the page's post url is to Auth.net servers. This means that the card data is never sent to your site, not even for an instant.

Picture of the data flow from the DPM docs

AIM, on the other hand, sends the card data back to your server. Your server then "turns around" and sends the card data onward to Auth.net. Essentially, your server acts as a proxy to the Auth.net servers. Even if you never store the card data in a database, the card data is still present on your server. This means, according to current PCI, that your server is in the PCI envelope.

(It used to be that if your server merely transited the data--using AIM or equivalents from other gateways--that your server was not covered by PCI. But that is NO LONGER the case! PCI folks are not dumb, they realize that if your system is compromised, the card data could be intercepted.)

There are still lots of people laboring under the impression that if they use AIM, their server is not covered by PCI. They are all wrong.

An alternative is to use CIM--but only if you use the new CIM option of "Hosted CIM" See page 8 of the doc

Use CIM if you want to store the customer's credit card so they don't have to re-enter it the next time they want to purchase something. I use CIM for re-billing my customers monthly. -- I can't use ARB since the billed amounts vary.

Re: Which method to use: AIM, SIM, CIM, DPM???

TJPride — Sat, 03 Sep 2011 01:02:55 GMT

Ok, I stand corrected on DPM. I haven't actually used it myself, my experience so far has been with AIM, ARB, and CIM. But I should point out that since the form is on your site, it's still easy for anyone who gains access to your hosting to just change the post URL and insert an intermediary, which essentially scoops out the credit card info and then passes the post data on to Authorize.net. You are therefore no safer with DPM than you are with AIM or CIM, it again boils down to password and access security. Though I suppose the -illusion- of extra security might be appealing to some people.

Re: Which method to use: AIM, SIM, CIM, DPM???

DougE — Mon, 05 Sep 2011 16:39:11 GMT

Thanks for the replies. Very helpful.

Re: Which method to use: AIM, SIM, CIM, DPM???

jamesm113 — Thu, 08 Sep 2011 05:56:23 GMT

Is CIM an alternative to DPM/AIM/SIM? Or do you use CIM in combination with AIM/DPM/SIM?

Thanks

Re: Which method to use: AIM, SIM, CIM, DPM???

TJPride — Thu, 08 Sep 2011 14:52:47 GMT

CIM is the easiest way (in my opinion) to implement ongoing subscriptions or multiple charges without redirecting to a page on Authorize.net. ARB and SIM would be the alternatives to it. AIM and DPM are more for one-time charges, with AIM again being the option that lets you keep everything on your own site.

The short answer is that if you need CIM, you're not going to need anything else for the same transaction. CIM can handle both initial payment and ongoing payments, unlike ARB, which can do ongoing but requires you to use AIM for the first payment.

Re: Which method to use: AIM, SIM, CIM, DPM???

jamesm113 — Fri, 09 Sep 2011 21:22:38 GMT

Our customers will be frequent buyers, so we want to have their CC info stored so they can easily make purchases again. We are also not ready for the risk of using AIM yet.

So is CIM our best bet? We were considering DPM, but I don't think that allows you store CC info, is that correct?

Thanks

Re: Which method to use: AIM, SIM, CIM, DPM???

larrykluger — Fri, 09 Sep 2011 21:43:37 GMT

@jamesm113 -- you are correct. The only api that enables you to store the customer's credit card number (on Auth.net) is cim.

When you implement it, be sure to use the "hosted cim" option for collecting the card-holder's details.

Note that your sw won't have direct access to the card number, rather, you store a key that you use to ask cim to make another charge transaction against the stored card.

CIM works great, I use it in production.

Re: Which method to use: AIM, SIM, CIM, DPM???

jamesm113 — Tue, 13 Sep 2011 05:41:30 GMT

Thanks! :)

Re: Which method to use: AIM, SIM, CIM, DPM???

sathishbabu22 — Wed, 09 Nov 2011 09:32:23 GMT

Hi,

I am new to Authorize.Net, I need your advice to understand CIM method. For our project I have plan to use CIM for first/ intial payment and for ongoing paymnets. Please let me know can we achieve using CIM ?

Thanks

sathish.

Re: Which method to use: AIM, SIM, CIM, DPM???

TJPride — Wed, 09 Nov 2011 11:02:56 GMT

Yes, you can charge a profile immediately after you create it with CIM.

Re: Which method to use: AIM, SIM, CIM, DPM???

sathishbabu22 — Wed, 09 Nov 2011 14:59:32 GMT

Thanks for your reply! Also could you please explain where can I get detailed response for Custom Receipt after I submit

CreateCustomerProfileTransaction.

Re: Which method to use: AIM, SIM, CIM, DPM???

TJPride — Wed, 09 Nov 2011 21:01:01 GMT

Are you going to use hosted CIM (forms are hosted on Authorize.net) or regular CIM (forms are hosted on your site)? If the latter, it's probably fairly easy to do a custom receipt page, just print_r on $response or $transactionResponse (not sure which it would be) after putting in a sample transaction, and this will give you all the fields that Authorize.net returns. if the former, there should be sample code here (see the CIM section):

http://developer.authorize.net/downloads/samplecode/

Re: Which method to use: AIM, SIM, CIM, DPM???

Talentville — Wed, 16 Nov 2011 16:43:38 GMT

Your discussion of what portion of the authorize.net framework to use, but in the real world, as with my site that has both memberships and one-off purchases, do I then use CIM for purchases from my "members" and simply AIM to process individual transactions where I do not have a previously saved customer ID?

The issue is that I wonder why both AIM and CIM have a transaction processing method, would it not be easier if there was just one transaction processing method with an optiponal customer ID that could be passed in instead of individual field for name, card #, etc?

That seems logical to me, having it all wrapped up in one all encompassing method so that I would not have to use two completely different authorize.net modules to do the same thing, namely charging purchases. what makes no sense to me is the following logic: If (is a member) use CIM; else use AIM.

Re: Which method to use: AIM, SIM, CIM, DPM???

larrykluger — Wed, 16 Nov 2011 17:18:52 GMT

Re: do I then use CIM for purchases from my "members" and simply AIM to process individual transactions where I do not have a previously saved customer ID?

Correct. However, you should never use AIM for new development, use DPM instead. And likewise, you should never use standard CIM for new development, use "Hosted CIM" (see the api docs) instead.

You want to reduce your server's exposure to the card data (and to PCI) when-ever possible.

Re: why both AIM and CIM have a transaction processing method?

You're right, the Auth.net api's could be better integrated with each other. The good news is that the transaction fields for the different methods tend to be the same.

The feeling I get is that one thing they're working on is better integration between CIM, DPM and the ARB system. -- There should be no need to re-enter ARB payer info if it was recently entered as part of a transaction (AIM, DPM, etc) or is already within the CIM system.

I don't think Auth.net has many developers, so enhancements seem to roll out slowly. The good news is that their competitors are causing Auth.net to be more pro-active than they used to be. "All hail capitalism!"

Re: Which method to use: AIM, SIM, CIM, DPM???

TJPride — Thu, 17 Nov 2011 01:20:13 GMT

The PCI requirements for even AIM and regular CIM are not terribly difficult as long as only one person has access to the hosting and that person doesn't walk around with the password taped to his forehead. And a lot of people (myself included) prefer to charge things internally rather than forward to another site. Saying that they should -never- be used is going a bit overboard, imho. As long as they're available, they'll be an option that many people prefer. If they're ever disabled, you can kiss a large chunk of Authorize.net's user base goodbye.

I still argue that as long as you're not actually storing the credit card data locally, security starts and ends with access to the hosting. If someone gets into your hosting, you're doomed. Period. No amount of security is going to protect your customers. Only takes maybe 30 minutes to hack together an identical, fake payment form and then redirect people to that instead, for instance.

Re: Which method to use: AIM, SIM, CIM, DPM???

pinkstonm — Mon, 06 Feb 2012 23:28:29 GMT

We are new to authorize.net and would like to go this foute in favor of our current paypal process.

We are a youth sports group where parents register their children for tournaments.

1. enter player information and select tournaments on first page (ASP)

2. save entered information on previous form in access db, presents payment page with paypal paynow button

3. paynow button when clicked routes the customer to paypal via the following code:

When the transaction is complete in paypal, the ipnpaypal.asp is executed automatically on our site to post paid to the transaction.

Can we do this with authorize.net and are there any practice native ASP examples we can use?

Re: Which method to use: AIM, SIM, CIM, DPM???

TJPride — Tue, 07 Feb 2012 05:34:45 GMT

I moved my reply to your new thread.

http://community.developer.authorize.net/t5/Integration-and-Testing/Coming-from-PayPal-and-Need-guidance/m-p/22707/highlight/false#M12265