topic Solutions for integrating with Authorize.NET in Integration and Testing

Solutions for integrating with Authorize.NET

khoata — Fri, 22 Aug 2014 07:59:27 GMT

Hello,

I want to integrate my system with a payment gateway and have some expectation:

- Our system uses credit/debit cards.

- Support future charges without retransmitting credit/debit card information.

- Simplify my work to comply PCI.

I researched Authorize.NET and come up with following solution.

- Using Customer Information Manager (CIM) to support future payment.

- CIM needs customers' credit card information, so I would use Direct Post Method (DPM) to collect the information and forward them to Authorize.NET CIM service.

However, I have concerns with that solution

1. By using DPM, credit cards information still goes through my web server and I need to consider it for PCI compliant. Are there any ways to support future payment and bypassing my server? For example, is it possible to use Server Integration Method (SIM) for the first payment and using the response result for CIM services to support future charges?

2. The solution with DPM is for client facing web interface because DPM has Web UI components and I guess it could help me to simplify PCI compliant by encrypting credit card information before transmitting to our server. In the future, I could support native mobile apps, my customers could submit card information from their mobile devices directly, does DPM have similar UI components for native mobile apps? If NOT, using SSL is enough for PCI compliant?

3. From http://www.authorize.net/resources/pcicompliance, I understand that validations from independent scan vendor for level 4 merchants are optional. Assuming that I apply the solution for my system, what is the process I should go through so that Authorize.NET considers my system is PCI compliant at level 4?

Please guide me a right direction to integrate Authorize.NET to my system.

Re: Solutions for integrating with Authorize.NET

RaynorC1emen7 — Fri, 22 Aug 2014 11:16:48 GMT

DPM can't forward cc info to CIM, but CIM do have a hosted form options. read the doc in

http://developer.authorize.net/api/cim/ chapter 4

By using DPM, credit cards information still goes through my web server and I need to consider it for PCI compliant. Are there any ways to support future payment and bypassing my server?

DPM don't go thru your server, the form post directly to authorize.net

For example, is it possible to use Server Integration Method (SIM) for the first payment and using the response result for CIM services to support future charges?

No. same answer as DPM

2)right now it either using their SDKs for mobile apps(under download) where you would need to register every device.

or thru web browser interface.

Re: Solutions for integrating with Authorize.NET

khoata — Mon, 25 Aug 2014 05:08:57 GMT

Thank you very much for your advice. I have read CIM hosted option and looked at sample code, but still have one concern.

My system supports users to enter card information one time, and reuse that information for future payments. Even if using CIM hosted option, to create a payment transaction for a customer, my system need to know:

1. Customer profile id: will be generated by my system using API createCustomerProfileRequest.
2. Payment id: this should be created by customers using CIM hosted form (creating payment id needs credit card information, my server code should NOT handle this to simplify PCI compliant)

Because Payment id is created by using CIM hosted form, my system never know the id and could not create payment transactions. Please correct me if my understanding is not correct.

Re: Solutions for integrating with Authorize.NET

RaynorC1emen7 — Mon, 25 Aug 2014 11:22:23 GMT

1)Your system would create the customer profile, then use the hosted form to have the end user enter then credit card info.

If you read chapter 4, you would see that the token required the customer profile id.

2)Once the end user create their payment profile, there GetCustomerProfile to get their payment profile id.

You probably would list the their cc entry and let the customer select which one to create the transaction from.

Re: Solutions for integrating with Authorize.NET

khoata — Tue, 26 Aug 2014 04:04:37 GMT

Thank you for quick response. By using GetCustomerProfile request, I could get payment profile id, but the response also includes credit cards information. It's my concern for PCI compliance. I reviewed the document again, but didn't find APIs that only return payment profile id. Please help if you have other solutions that completely ignore credit card information.

Re: Solutions for integrating with Authorize.NET

RaynorC1emen7 — Tue, 26 Aug 2014 11:02:24 GMT

the credit card return from authorize.net is all masked cc#(e.g. xxxx1111). And your customer would probably want it because if they have multiple cc on files, they would want to know which one they are using.

And that the only one the return payment profile id.

Re: Solutions for integrating with Authorize.NET

khoata — Wed, 27 Aug 2014 02:56:20 GMT

Thank you very much for your kindly help. Your advices help me a lot in PCI compliant.