cancel
Showing results for 
Search instead for 
Did you mean: 

Customer Information Manager Question....

When using CIM, and we choose the option to store and reuse their credit card number/payment info they entered, do we have to grab it and populate it on the form, or is there a way (which is our first preference) to just pass something that will indicate that we want to use the credit card number on authorize.net servers but without having to see/touch it at all. (We don't want to have first retrieve the CC# and have it on our end and then resubmit it back.)

 

Is this possible?

endangeredsp
Member
11 REPLIES 11

That's exactly what CIM is for. You tell CIM which payment profile to use and it charges the credit card accordingly.


-------------------------------------------------------------------------------------------------------------------------------------------
John Conde :: Certified Authorize.Net Developer (Brainyminds) :: Official Authorize.Net Blogger

NEW! Handling Authorize.Net's Webhooks with PHP

Integrate Every Authorize.Net JSON API with One PHP Class (Sample code included)

Tutorials for integrating Authorize.Net with PHP: AIM, ARB, CIM, Silent Post
All About Authorize.Net's Silent Post
stymiee
Expert
Expert

When you set up a CIM profile and billing profile, you get back profile ID's, which are what you use to charge transactions from then on. You do not get back the credit card info, in fact credit card info is impossible to retrieve short of submitting a ticket to Authorize.net through your account interface and asking them to export you a file manually. The most you can access through the CIM API is the last 4 digits - the rest is masked for obvious security reasons.

 

If you're using CIM, you'll have a user account for each person in your database, and you'll store their profile ID and billing profile ID(s) in your database. If a payment comes due, you just generate a charge against those ID's and you're good to go - assuming the credit card is still active and has sufficient balance. If you want to validate the credit card info ahead of the first charge, there's something called validation mode, which amounts to Authorize.net internally charging for $0.01 or $0.00 and then immediately voiding so as to verify that the credit card works. This does generate a transaction fee, of course.

TJPride
Expert

Thanks for your quick reply!

Another question: Why do we need to store two IDs? You mentioned profile ID and billing ID. I'm a correct in my understanding that Profile ID would be for each customer? Why would Billing ID also be needed? Does this mean they can store more than one Credit Card?

Also, apologies if all of this is documented somewhere. If it is, can someone direct me to the document so that I can get started with my understanding on how to begin implenting this option?

They can store more than one billing method, which would include multiple credit cards as well as eCheck and bank accounts if your merchant supports those.

Another question....

If we do give a customer an option to store more than one credit card, will you be able to push back to us an indicator of which billing ID is for which Credit card? (I.e. the last four digits of the credit card so they'll know which billing ID they'll want to choose to use?) My company is in a discussion of giving the user the option to select (from maybe a pulldown) what credit card/billing ID they'd like to use, and I imagine the customer won't recognize the billing ID when they are selecting from the pulldown.

getCustomerPaymentProfile()

 

Sample XML dump of output:

<?xml version="1.0" encoding="utf-8"?> 
<getCustomerPaymentProfileResponse 
xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd"> 
  <messages> 
    <resultCode>Ok</resultCode> 
    <message> 
      <code>I00001</code> 
      <text>Successful.</text> 
    </message> 
  </messages> 
  <paymentProfile> 
    <billTo> 
      <firstName>John</firstName> 
      <lastName>Doe</lastName> 
      <company></company> 
      <address>123 Main St.</address> 
      <city>Bellevue</city> 
      <state>WA</state> 
      <zip>98004</zip> 
      <country>USA</country> 
      <phoneNumber>000-000-0000</phoneNumber> 
      <faxNumber></faxNumber> 
    </billTo> 
    <customerPaymentProfileId>20000</customerPaymentProfileId> 
    <payment> 
      <creditCard> 
        <cardNumber>XXXX1111</cardNumber> 
        <expirationDate>XXXX</expirationDate> 
      </creditCard> 
    </payment> 
  </paymentProfile> 
</getCustomerPaymentProfileResponse> 

As you can see, it will return the payment type and all non-protected data. For instance, the card number is masked but you do get back the last 4 digits, which you could then display for your customer in a pull-down for him to choose from.

Why is the expiration date value xx'ed out? We were wondering if we'll be able to see this as well when it's pushed back? (To store on our end with the last 4 digits and use to determine if we'll hide the credit card/billing ID option if expiration date has expired.)

If you're storing credit card data on your own server, then you may as well ignore CIM entirely, since AIM is easier to implement if you have the credit card data available all the time. However, this is generally considered very bad practice, since it forces you to implement the highest levels of security.

 

Short version - the entire point of CIM is to avoid ever having to store credit card data on your computer / hosting. Hosted CIM even avoids the credit card data being transferred through your computer / hosting.