cancel
Showing results for 
Search instead for 
Did you mean: 

Variation on the SIM flow or DPM without https

Hello everybody,

I need to integrate the Authorize payment gateway on an existing shop. That shop doesn't use https so I thought that SIM would be the only option (exception made for the simple checkout buttons).

 

This is the flow of our shop, right now:

 

- mechants displays cart form

- customers choose the products, enter their personal data and submit the form

- merchant processes the form and displays another form which recaps the order's details

- customers choose a payment gateway and submit the form

- merchant processes the form, registers the order and redirects the customer to the gateway website

- gateway displays the payment form asking for the credit card data and so forth

 

The problem with SIM is that the cart form [edit: well, the recap form, in our case] should be posted directly to Authorize, hence we cannot register the order before sending the user to the payment gateway. We may register the order only after the response of Authorize, but that means that we will not be able to see orders waiting for completion in our backoffice, but only orders that have either successfully completed or orders that failed.

 

I ponderated about using the DPM, but the workflow expects the merchant to display a form which asks the customer for the credit card data and even if this form will be posted to Authorize, the merchant is expected to serve that form using https, which we currently don't use.

 

So here are the questions:

- is there any way to post a server-to-server request to Authorize in the context of SIM, so that we can register the order on our end before posting to Authorize, and then get a redirection URL that we can use to send the customer to the payment form on Authorize?

- is it really necessary, in the context of DPM, to use https to serve the form that asks the customer about their credit card details, considering that the form will be posted via https to Authorize in any case?

 

Thanks a lot for your attention!

Francesco
Member
1 ACCEPTED SOLUTION

Accepted Solutions

1. I just store all orders in the order table on my end, then have a flag set for whether an order completed or not. If it hasn't completed, an automated routine eliminates the record after a certain amount of time. If you need an extra page between your cart and Authorize.net, just make the form auto-submit so the customer doesn't see it as an extra page (onload="document.formname.submit();"). If I'm not understanding the problem, I'll need to see your specific code - post it here in a code box, fourth option from the left in Rich Text mode.

 

2. The form page itself does not need to be secure to post to Authorize.net via DPM. The question, of course, is whether people will feel okay about filling their credit card info in on a non-secure form, regardless of whether their data is in fact safe or not. But certificates only cost $50/year, anyone who can't afford that probably can't afford paying you what you're worth either. Hosting is the last thing that should be stinted on.

View solution in original post

TJPride
Expert
6 REPLIES 6

1. I just store all orders in the order table on my end, then have a flag set for whether an order completed or not. If it hasn't completed, an automated routine eliminates the record after a certain amount of time. If you need an extra page between your cart and Authorize.net, just make the form auto-submit so the customer doesn't see it as an extra page (onload="document.formname.submit();"). If I'm not understanding the problem, I'll need to see your specific code - post it here in a code box, fourth option from the left in Rich Text mode.

 

2. The form page itself does not need to be secure to post to Authorize.net via DPM. The question, of course, is whether people will feel okay about filling their credit card info in on a non-secure form, regardless of whether their data is in fact safe or not. But certificates only cost $50/year, anyone who can't afford that probably can't afford paying you what you're worth either. Hosting is the last thing that should be stinted on.

TJPride
Expert

Installing the certificate would be indeed better to let the users see that they're filling their credit card data on a secure form, the problem isn't about its monetary cost but moreover about the possible additional changes needed to make everything else work fine (the cart gets loaded in a CMS with a lot of customization, I've already experienced issues on another website switching from http to https and visa versa and kicking out users from the system).

 

I think I'll go with the auto-submit solution, thanks a lot for your insight.

If a cookie is set to nonsecure, it should be accessible in both HTTP and HTTPS, as far as I know.

Oh, indeed the issue can be solved, and non-secure cookies may very well do the trick, the point is that setting up the certificate and verifying that everything works fine - not to speak about fixing eventual problems - will surely be more time consuming than implementing the auto-submitting form, since the auto-submitting form is pretty much ready. As I pointed out, we're speaking about a heavily customized CMS but I forgot to mention that it wasn't customized by me, I'll be better ignoring the details of most of  those customizations, hopefully forever ;-)

 

Thanks for the heads up in any case.

Ok, well whatever works. Just throwing out ideas :)

Much appreciated :-)