I have previously implemented AIM (in a .Net environment) and used the following process on a web site:
1. User selects items into shopping cart
2. User requests checkout
3. User fills out credit card and billing/shipping information and submits
4. System sends WebRequest to Authorize.Net to charge credit card and gets response back
5. If response is successful
system creates an order in the database
system sends email to user with order information
else
system shows the error returned by Authorize.Net to the user
user can choose to fix error and re-submit the order
Of particular note in this process is that an order is not created until the credit card is charged. This prevents orders being created that are abandoned and never get charged.
I now have to implement SIM for a merchant and see the process needs to change. I plan on using the
relay reponse feature. I have created a test application and undertand the technical requirements for this solution. I have also reviewed the threads involving SIM and have not seen this question asked.
It seems the process has to create an order in the database prior to posting to the Authorize.Net
hosted payment form.
If I wait to create an order until the relay response is received, and if the relay response times
out, the credit card would be charged in Authorize.Net but no order would exist in the merchant's
system.
The process I am considering is:
1. User selects items into shopping cart
2. User requests checkout
3. System creates an order in the database with a 'pending payment' status
4. System posts the html form to Authorize.Net and the Hosted Payment Form shows on Authorize.Net
5. User fills out credit card and billing/shipping data on hosted payment form and submits
6. If Authorize.Net validations pass
Authorize.Net charges credit card
Authorize.Net sends relay response to Merchant URL with success code
else
Authorize.Net sends relay response to Merchant URL with error code
7. If the relay response does not time out
Merchant system relay response page processes response
Successful transactions have order updated (status = 'paid') and emails sent to user
Failed transactions show an error to the user and allow the user to re-submit
else
Merchant system relay response page is not executed and
the order is left in 'pending payment' status
Authorize.Net sends timeout email to Merchant contact
Merchant contact researches transaction and goes into merchant system to
update order to 'paid' via some custom developed utility.
I don't like this solution as it
(a) can potentially create 'pending payment' orders in the merchant system that never get paid if the
user chooses not to complete the credit card process on the Authorize.Net hosted payment form. These
'orphaned' orders will need to be deleted.
(b) requires merchant user interaction to recover from a paid transaction that times out on the relay
response
Does anyone have a process design for SIM that avoids these issues yet handles the relay response timeout problem?
Thank you in advance for your time reading this and offering suggestions.
โ05-19-2010 01:47 PM
As I see that no one responded to your post I am curious how you solved this problem. I am currently writing a solution where the order is not created in the database until the customer credit card is successfully debited and then silent post is my method of returning order data to my server.
โ01-05-2011 06:56 AM
I have the same setup as you pbloom. We used to use AIM which gives you instant feedback and since you are the one making the call to the Auth.Net you know that the response is coming is valid.
I have an open question to the forum, which I hope gets answered soon. The question is how do we know that the relay response is actually coming from Auth.Net and not someone spoofing their callback. To me this seems like a huge security hole, but that might just be because I don't have the answer yet.
Anyway I think the setup you have is the best possible one. The reason we went with it was to deal with session timeouts from our application while the user was at the Auth.Net form.
โ01-05-2011 08:06 AM
I have not implemented this verification in my script yet but I believe the verification for the transaction is in the form of x_MD5_Hash
The payment gateway generated MD5 hash value that can be used to authenticate the transaction response. (pg. 54 in the SIM_guide.pdf)
Also read this thread
โ01-05-2011 08:45 AM
hey pathfinder,
I realized this was where my wires were getting crossed. I thought that the hash passed back on the relay response was the same as the one I had sent in the payment form request.
โ01-05-2011 11:26 AM
Ya, I crossed the same wires. Let us know if you get x_MD5_Hash working for you and I am interested if the code in that thread works.
โ01-05-2011 11:49 AM
I was able to get the MD5 hash setup. I would have saved myself a day's worth of headaches if I had read the doc correctly.
โ01-11-2011 03:29 PM - edited โ01-11-2011 03:29 PM
Been there, done that. Did you use the code from the thread above? Of if not will you post your code? Same me and others from the same headaches.
โ01-11-2011 04:05 PM
Hello pbloom,
I know this post is almost 4 years old but have you found a better work around for recovering from SIM relay response timeouts? I was thinking of implementing something similar but was hopping there would be a better approach.
Thanks,
โ03-19-2014 09:33 AM - edited โ03-19-2014 09:34 AM