cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Accept Hosted IFrame communicator, email our company when client adds or edits credit card.

1) We use Authorize.Net's getHostedProfilePageRequest in a hosted IFrame to enter Authorize.Net credit cards using profile.js. profile.js notifies the IFrames's containing webpage through the IFrameCommunicator webpage when a single credit card is saved.


Would Authorize.Net allow profile.js to notify the IFrames' containing webpage when saving an added or edited credit card in a multiple credit card hosted IFrame? <form method="post" action="https://accept.authorize.net/customer/editPayment"> has no hidden field named paymentProfileId. We'd need to email our company when a client adds or edits a credit card.


2) Does gathering credit card information in a non-Authorize.Net web page, transmitting the credit card information to a non-Authorize.Net server and saving the credit card using Authorize.Net API's to add, update and delete the Customer Payment Profile violate Payment Card Industry Data Security Standards (PCI DSS)? Customer credit card information would be in non-Authorize.Net server memory before calling Authorize.Net API's to add, update and delete the Customer Payment Profile.

bobjones
Member
3 REPLIES 3

Hi @bobjones,

 

For #1, there's no current way to do what you describe, but I can definitely see the usefulness in such a scenario.

 

I'd encourage you to post this onto our Ideas Forum where others can take a look, contribute feedback, and vote for new features.

 

Having said that, there are ways to get notifications when a profile changes. I'd urge you to look into our Webhook notifications, which might be a way of doing what you want.

 

For #2, it's sort of a tricky question. You can still be compliant with the PCI-DSS standard doing what you describe, but a lot more of the work of proving compliance is on you. When you use someone else's hosted solution (like our Accept Customer profile management), you have the ability to just do a self-assessment questionnaire verifying that you meet certain standards and that you're using the third-party technology correctly.

 

Once you have any way to see the card information, in memory or stored or otherwise, it's a much bigger process to verify compliance, involving outside auditors and testing and things.

 

I can't answer any specific questions about what would be compliant with which part of the PCI-DSS spec or what exactly one would have to do to be compliant. Those answers all vary depending on someone's specific implementation, so we'd always tell you to contact a qualified PCI assessor for guidance.

Aaron
All Star

In the New Ideas forum, I entered "Add webhook when saving added/edited payment profiles" by bobjones on โ€Ž09-18-2017 02:55 PM, https://community.developer.authorize.net/t5/Ideas/Add-webhook-when-saving-added-edited-payment-prof....
While Aaron Wright, Developer Advocate - Authorize.Net thought it was a good idea, it hasn't gotten any votes yet in the New Idea forum. I entered the New Idea twice. When the first entry didn't get any votes for a couple week, I deleted that entry and entered a more clearly written version of new idea. But the second entry hasn't gotten any votes either.
Can this idea be implemented anyway, even if it doesn't get votes?

Hi @bobjones,

 

Having a lot of votes would be one way we could gauge interest in a feature, but it's not the only way by any means. A good idea with no votes is still a good idea. When it comes time for us to consider suggestions, we consider things like the ease of implementation, the marketability of the feature, or existing demand as measured through other channels. Your idea, even though it my not have any votes, would still be given the same serious consideration as other ideas.