08-09-2011 07:11 AM
I'm wondering if it's possible to use the hosted CIM API option to allow user's to create and edit their payment profiles and then somehow get the relevant information(payment profile ID) to process a payment through the normal CIM API? This way my server never see's any cardholder data.
How would i go about getting the payment profile ID after they create their profile?
08-09-2011 03:41 PM
Why would you care if your server sees cardholder data? As long as you have an SSL certificate, and as long as you don't leak your FTP password, you're good to go. If someone DOES gain access to your FTP, having the payment system off-site isn't going to save you - the hacker could randomly redirect people to a secondary payment page on your site, or on his site, or if the answer to your question is yes and the payment profile ID's can be retrieved, could get all information except the card data, and would be able to charge their credit cards - though the money would end up with you and not him. As I keep saying, security starts and ends at your FTP. If your FTP is compromised, you're doomed; if it isn't, you're fine.
08-11-2011 03:46 PM
This is exactly the intent that the hosted CIM forms are designed for. Once a customer has created their payment and shipping profiles, you can retrieve them using the CIM API with a getCustomerProfileRequest. You will also have to already be using the createCustomerProfileRequest before you can use the hosted forms.
08-15-2011 12:46 PM
Before you can generate one of the host forms, you have to already have the customer profile ID. You can use that same customer profile ID to pull a list of payment profiles whent he customer returns to your page. There is no way to specifically pull the most recently created profile. If you really wanted to do this, you could pull the profiles before and after presenting the hosted form and identify any changes.