Newbie Question - CreditCard Postback

dnsBuffaloNY — Mon, 26 Sep 2016 21:50:55 GMT

Hello,

I'm looking to integrate Authorize.Net in my existing website. My website was developed in .Net, therefore, I plan on using the Authorize.Net SDK for c#.net

Also, I have purchased and installed a SSL certificate for my website.

I'm paranoid that I'm in compliance with handling credit cards. Currently, I'm using PayPal Express checkout on my website, but I want something better so my customers can enter a credit card number/expiration date instead of getting redirected to PayPal to complete the transaction (I use PayPal IPNs to get notifications).

I'm able to create a <form> on a web page, gather the necessary customer information (first name, last name, address, credit card number, expiration date, security code, ...). I've played with the Authorize.Net SDK for c#, and I'm comfortable making the call (with the API Logon Id and API Transaction Key) to charge the card.

Here's my question: Is it alright that Credit Card data a customer enters on my web page will be posted back to my website using ssl/https? Of course, I'm not saving any of the credit card data (I don't want that liability); I'm simply getting the information from the post back data and using it in the SDK to charge the card. I'm not saving the Credit Card data anywhere, but I'm concerened that it will be in the memory of my server. I'm not sure if it will be in my IIS logs too?

Here's a "snippet" of c#.net code I will be using.

			
var creditCard = new creditCardType
{
     cardNumber = Request["txtCardNumber"],
     expirationDate = Request["txtExpiration"],
     cardCode = Request["txtSecurityCode"]
 };
			
var billingAddress = new customerAddressType
{
   ...
}
			
//standard api call to retrieve response
var paymentType = new paymentType { Item = creditCard };
			
var transactionRequest = new transactionRequestType
{
     transactionType = transactionTypeEnum.authCaptureTransaction.ToString(),    // charge the card
     amount = amount,
     payment = paymentType,
     billTo = billingAddress,
     lineItems = lineItems
};
            
var request = new createTransactionRequest { transactionRequest = transactionRequest };
            
// instantiate the contoller that will call the service
var controller = new createTransactionController(request);
controller.Execute();

Do I need to consider using a different technique so the credit card data does not post back to my server? If so, any recommendations (I see there is a java script library Accept.js?) I also considered purchasing nSoftware E-Payment Integrator so the CC data would not touch my server.

Thank you for you time!

Re: Newbie Question - CreditCard Postback

RichardH — Mon, 26 Sep 2016 23:26:42 GMT

Hello @dnsBuffaloNY

Using Accept.js can help you reduce your pci scope because card data does not pass through your server. And you maintain control over the user experience.

Having card data pass through your server would be fully in scope for compliance.

Richard

topic Newbie Question - CreditCard Postback in Integration and Testing

Newbie Question - CreditCard Postback

Re: Newbie Question - CreditCard Postback