We use Authorize.Net to collect payments for some kind of verification process of our potential customers. The process requires asking the users for their SSN (social security number). As this is sensitive data, we don't store it in our database. When the user successfully makes a payment, we need to send their SSN to a web service that generates some background check reports on the customer.
We didn't want our application servers to see the CC data, so we integrated using the DPM (direct post) method. There's one problem with that. When Authorize.Net makes a payment confirmation call to our server, we need receive the SSN number with it, so we can fire the background check. To do that, we encrypt the SSN (using a strong secure algorithm, with salt and separate keys for each customer) and send it to Authorize.Net as a merchant defined custom field. When Authorize.Net confirms the payment, sends the custom fields back to our server and we decrypt them to fire the background checks.
Merchant defined fields aren't supposed to be stored in the Authorize.Net's database according to the documentation, but we're wondering whether sending those encrypted SSN numbers in a merchant defined field is allowed.
Thank you for your time.
01-28-2014 04:25 AM - edited 01-28-2014 04:26 AM
It doesn't look like anyone has responded yet, but someone still may have feedback on what you're looking for. I'd recommend subscribing to this topic so that you'll be alerted via email if anyone else from the community is able to respond with any comments. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies to your post.
Thanks,
Richard
01-31-2014 02:05 PM