Cybersource Developer Community Cybersource Developer Community

khoata · ‎08-22-2014

Hello,

I want to integrate my system with a payment gateway and have some expectation:

- Our system uses credit/debit cards.

- Support future charges without retransmitting credit/debit card information.

- Simplify my work to comply PCI.

I researched Authorize.NET and come up with following solution.

- Using Customer Information Manager (CIM) to support future payment.

- CIM needs customers' credit card information, so I would use Direct Post Method (DPM) to collect the information and forward them to Authorize.NET CIM service.

However, I have concerns with that solution

1. By using DPM, credit cards information still goes through my web server and I need to consider it for PCI compliant. Are there any ways to support future payment and bypassing my server? For example, is it possible to use Server Integration Method (SIM) for the first payment and using the response result for CIM services to support future charges?

2. The solution with DPM is for client facing web interface because DPM has Web UI components and I guess it could help me to simplify PCI compliant by encrypting credit card information before transmitting to our server. In the future, I could support native mobile apps, my customers could submit card information from their mobile devices directly, does DPM have similar UI components for native mobile apps? If NOT, using SSL is enough for PCI compliant?

3. From http://www.authorize.net/resources/pcicompliance, I understand that validations from independent scan vendor for level 4 merchants are optional. Assuming that I apply the solution for my system, what is the process I should go through so that Authorize.NET considers my system is PCI compliant at level 4?

Please guide me a right direction to integrate Authorize.NET to my system.

RaynorC1emen7 · ‎08-25-2014

1)Your system would create the customer profile, then use the hosted form to have the end user enter then credit card info.

If you read chapter 4, you would see that the token required the customer profile id.

2)Once the end user create their payment profile, there GetCustomerProfile to get their payment profile id.

You probably would list the their cc entry and let the customer select which one to create the transaction from.

View solution in original post

RaynorC1emen7 · ‎08-26-2014

the credit card return from authorize.net is all masked cc#(e.g. xxxx1111). And your customer would probably want it because if they have multiple cc on files, they would want to know which one they are using.

And that the only one the return payment profile id.

View solution in original post

RaynorC1emen7 · ‎08-22-2014

DPM can't forward cc info to CIM, but CIM do have a hosted form options. read the doc in

http://developer.authorize.net/api/cim/ chapter 4

By using DPM, credit cards information still goes through my web server and I need to consider it for PCI compliant. Are there any ways to support future payment and bypassing my server?

DPM don't go thru your server, the form post directly to authorize.net

For example, is it possible to use Server Integration Method (SIM) for the first payment and using the response result for CIM services to support future charges?

No. same answer as DPM

2)right now it either using their SDKs for mobile apps(under download) where you would need to register every device.

or thru web browser interface.

khoata · ‎08-24-2014

Thank you very much for your advice. I have read CIM hosted option and looked at sample code, but still have one concern.

My system supports users to enter card information one time, and reuse that information for future payments. Even if using CIM hosted option, to create a payment transaction for a customer, my system need to know:

1. Customer profile id: will be generated by my system using API createCustomerProfileRequest.
2. Payment id: this should be created by customers using CIM hosted form (creating payment id needs credit card information, my server code should NOT handle this to simplify PCI compliant)

Because Payment id is created by using CIM hosted form, my system never know the id and could not create payment transactions. Please correct me if my understanding is not correct.

RaynorC1emen7 · ‎08-25-2014