Reply
Highlighted
Contributor
Posts: 11
Registered: ‎02-27-2015

Avoid PCI by relying completely on Authorize.net

Hi all. We've got a slight problem. I'm a new-ish freelance developer making a site for a start-up. They generally only do cash/over-the-phone/hand delivery of items. As they are getting more popular, they want to move onto the internet world to handle a lot more of the transactions. We're on sort of a tight schedule, as they are hoping to get this all ready by next weekend. (And I, the sole developer, also work a full-time job)

This company also does a lot of on-the-go transactions. A major feature they have requested is the ability to allow customers to save their credit card info so that we can simply ping Authorize.net with an ID and an amount, and Authorize can handle the credit card info and transaction. 

The problem, since we are a small site, is getting PCI compliant and all the other standards is pretty tough. The solution?

 

I would like to redirect the user to enter their information through a direct Authorize.net portal which is compliant to all the standards. Upon success, Authorize.net sends me (our site) some sort of user identification, which I can store. 

When the user wants to buy something, we create a transaction to Authorize.net with that ID, our API Key, the Transaction key, and the amount, this side works its magic, sends us a success, and we can all be on our merry little way.

 

I know this kind of sounds like a 'too easy to be true' type thing, but is this possible and is there any other workaround?

 

Thanks ahead for any help! 

Highlighted
Posts: 2,765
Topics: 57
Kudos: 245
Blog Posts: 67
Registered: ‎12-05-2011

Re: Avoid PCI by relying completely on Authorize.net

Hello @Rockster160 

 

Welcome to the community. Assuming your client already has a gateway and merchant account, I suggest  starting by watching our training videos http://developer.authorize.net/videos

 

Next, you should look at Customer Information Manager which allows you to securely store payment profiles and use them for repeat transactions.  To reduce your PCI scope, you should consider using the hosted payment form.  See more details at http://developer.authorize.net/api/cim

 

Good luck.

 

Richard

Highlighted
Contributor
Posts: 11
Registered: ‎02-27-2015

Re: Avoid PCI by relying completely on Authorize.net

There is *painfully* little documentation on how to integrate it... I watched all of the training videos and read the majority of the relevant CIM XML guide. 

 

I'm using Ruby on Rails, and receiving an E00002 error, "The content-type specified is not supported" when I try to get the Profile token. I am sending the request as an XML format, but I am not actually *specifying* it anywhere.  I'm pretty mch at a loss with what to do with this stuff. I'm not used to things actually being difficult to integrate and get set up. Usually I have a pretty easy time with stuff like that.

 

Here is a preview of the related code for the request that I have:

    xml = "<?xml version='1.0' encoding='utf-8'?>
    <getHostedProfilePageRequest xmlns='AnetApi/xml/v1/schema/AnetApiSchema.xsd'>
    <merchantAuthentication>
    <name>'-----------'</name>
    <transactionKey>'----------------'</transactionKey>
    </merchantAuthentication>
    <customerProfileId>'--------'</customerProfileId>
    </getHostedProfilePageRequest>"

    uri = URI('https://apitest.authorize.net/xml/v1/request.api')
    res = Net::HTTP.post_form(uri, xml: xml)

 

Highlighted
Member
Posts: 6
Registered: ‎02-13-2015

Re: Avoid PCI by relying completely on Authorize.net

Cim is the answer to go. you can store all customer detail along with credit card information in cim, in  return cim will give you a customer id and payment Profile Id , through you can charge any specific customer and any specifi credit card.

Highlighted
Contributor
Posts: 11
Registered: ‎02-27-2015

Re: Avoid PCI by relying completely on Authorize.net

I should probably close this post and make a new one for the new question, huh...?