Reply
Highlighted
Member
Posts: 2
Registered: ‎03-20-2017

Response Codes to an Intranet Site for Accept Hosted

I am working on adding support for Authorize.Net to our application.  The application is an in-house application for Insurance Companies.  Imagine a Customer Services Representative on the phone with a customer, taking credit card information over the phone. 

 

Firstly, there are no issues when using the regular API.  However, that's SAQ-D.  I'm looking to explore an SAQ-A solution, which is where using the Accept Hosted method is more suitable. 

 

I have most features working.  I can pass customer data (address, name, phone, etc.) over to the hosted form, which I'm loading in an IFRAME.  Payment and processing (in the SANDBOX) works well too.  But I'm unable to retrieve the Auth Code or Transaction ID.  The issue stems from the web site being behind a corporate firewall, so Authorize.Net cannot communicate back to my page.  Or at least that's my theory as I'm not seeing any messages.

 

The documentation mentions By embedding information into the URL that is provided in the token request, the merchant server can identify the specific customer and transaction that has been processed when the customer returns.  I have seen that work, to an extent.  For example, I can add a unique identifier into the URL.  I've tested that.  However, I'm not seeing in the API as to where or how to use that information to query to get back the Transaction ID and Auth Code.  Here's what I imagine the flow would be:

 

  1. Add "myUniqueId=12345" to the query string for the hostedPaymentReturnOptions value.  Note that I'm also passing this id in as the ID in customerDataType.  So Aspose.Net should know this ID. 
  2. When the user completes he process and clicks the CONTINUE button, he comes back to https://myInternalServer/page?myUniqueId=12345.  I see #1 and #2 working for me now.
  3. Because I'm not getting communication back to my internal site, I now need to use that Unique ID to make an API call back to get transaction details.  I am looking for an API call similar to getTransactionDetailsRequest(), but letting me use my UniqueId as a search parameter. 

The end result of what I'm trying to do is to save the Transaction ID and Auth Code in my A/R Transaction table as proof/verification of the transaction.  I do have this completely working with 100% API calls, but I strongly desire to move to Accept Hosted for the PCI ramifications. 

 

Basically, if the Accept Hosted page appended the Transaction ID to the URL, I'd be set. 

 

Again, I could be completely off base here.  If you could help to point me in the right direction with how to somehow tag a Accept Hosted item and then pull back the transaction details, I'd appreciate it. 

 

Thanks again.

 

-- Robert Sillett

 

Administrator
Posts: 384
Registered: ‎11-03-2016

Re: Response Codes to an Intranet Site for Accept Hosted

Hi Robert,

 

Let me unpack the question into a few parts here...

 

1. Can you use the API and get a transactions details by sending in a unique ID you assigned to the transaction? No. That's a common request, and I personally would love to see it come to pass as it would enable a lot of workflows that right now are either cumbersome or impossible. Unfortunately, I can't give any timeframe on that.

 

2. The recommendation to embed identifying information in the URL query string is not so that you could use that information with our API later. It's more to close the loop and identify to you that user with that ID made it through the form after you handed them off, and the transaction is completed.

 

3. So how do you get a transaction ID? Right now there is no direct notification to your server that the user with the ID xxxxx finished their transaction and the transaction ID is yyyyyyyyyyy and the auth code is zzzzzz. You can piece this information together by querying our API for the last unsettled transactions and then searching those for the one matching the user ID you sent. A little cumbersome to be sure, but it's all that can be done without getting iframe communication working.

 

4. Why won't iframe communication work for you? You touch on this briefly with the suspicion that a firewall may be to blame. However, I think if you got this working, it would solve most of your issues.

It's not well documented in our documentation yet, so you can be forgiven for not understanding what's going on here.

 

In a nutshell, you'll send us the URL of a page on your server when you do the initial token request. When we load the form in the user's browser, we'll embed that page you sent us inside the payment form. That page whose URL you sent will just have a javascript in it to listen to communication from our form. Since that URL you send is on the same server as the page which called the form in the first place, we can get around browser limitations on cross site scripting. When a transaction is successful, we'll send the response (including transaction ID) to that script, and you can put a routine in that script to communicate that info back to your server in whatever way you want. 

 

6. What level of PCI will this end up being? That's a question we can't really answer, so if there's any question on your end, we recommend having a conversation with your assessor to make sure the end result achieves the desired goals.

-Aaron

Aaron Wright
Developer Advocate - Authorize.Net

Follow Authorize.Net developer news on Twitter!
Member
Posts: 2
Registered: ‎03-20-2017

Re: Response Codes to an Intranet Site for Accept Hosted

Hi, Aaron.

 

Thank you for the prompt and detailed response.  It could very well be that I don't have the IFRAME code working properly.  I'll pursue that route.  As you mention, I can also use the API to search for the transaction result, although that's not as elegant a solution. 

 

Thanks again.  You've been quite helpful. 

 

-- Robert