The Authorize.Net Developer Blog

Posts from Authorize.Net employees, community members and experts about integrating with the Authorize.Net Payment Gateway: sample code, tutorials, and problem-solving techniques, just to name a few.

Direct Post Method (DPM)

by on ‎11-03-2010 05:23 PM - last edited on ‎04-20-2018 03:54 PM by Moderator Moderator (288,963 Views)

Update: We have deprecated the Direct Post Method (DPM) integration method. We no longer update or support this method. Please see our Upgrade Guide for more information and recommended upgrade path.

 

--------------------------------------------------------------

 

Authorize.Net recently launched the Direct Post Method (DPM) which makes it faster than ever to take full control of the checkout process.

The Direct Post Method gives your merchants complete control over the pages related to the checkout experience. You can create your merchant's own checkout form and host it on their own server. If your merchant wants to add analytics to their page, they can. If they want to test different background colors, font sizes, live chat, or blinking text, go for it! You can design, tweak, and test your merchant's checkout forms as you would any other page on their site.

Sure, customizing checkout pages isn't a new phenomenon. But in the past, when a website hosted its own checkout form, it meant that the website would also be handling credit card numbers and other sensitive data. The Direct Post Method allows your merchants a fully customized checkout process without handling sensitive payment information. With DPM, all the user-facing content and forms are hosted on the merchant's site, and then you simply set the form to post to Authorize.Net's secure servers. Authorize.Net processes the sensitive cardholder data invisibly, and relieves some of the worries about security.

How it Works

Understanding how DPM works is very straightforward. Simply create a webpage with a credit card form, and post it to Authorize.Net's endpoint. Just add Authorize.Net's URL as the 'action' on the form, so

 

<form action="YOUR_URL" method="post">

 

becomes

 

<form action="https://secure.authorize.net/gateway/transact.dll" method="post">

 

Just make sure the name of the input fields corresponds to the Authorize.Net API fields, (credit card number should be "x_card_num" for example). The full list of fields can be found in the Authorize.Net SIM Guide.

When a merchant's customer submits this form, Authorize.Net sends the results of the transaction to the merchant's server without sending any of the sensitive cardholder information. The merchant's server can then store these results and send a response back to Authorize.Net. In the Direct Post Method, this response is simply a snippet of HTML which contains a bit of javascript and/or a meta refresh tag which directs the customer back to the merchant's site. When the customer comes back to the merchant's site, you can retrieve the transaction results saved a moment ago and execute any business logic, then show a receipt (or error) page to the customer.

All of this happens behind the scenes. To the customer, the experience is seamless. All they do is click the "Submit" button on the checkout form, and the next page they see will be the merchant's own receipt page.  As far as the customer is concerned, the domain name stays the same.

To summarize, the Direct Post Method offers a fully customizable checkout experience that's both easy to implement and secure. 

I'm imagining you might have a couple questions right off the bat.


Q: "This sounds a lot like SIM. What's the difference?"

A: Yes, SIM is a great solution to reduce PCI compliance risk, but the default is for those pages to be hosted on Authorize.Net. With DPM, the merchant hosts the order page and receipt page every time, allowing for full customization. This modified payment integration method simply allows maximum flexibility while still reducing the PCI compliance burden of handling the customers' personal payment information.  

Q: "Wait, what about security?  I thought a form with sensitive information should be hosted on a secure site?"

A: Yes, it is recommended that the order and receipt pages are hosted on a secure server. Having the checkout and receipt pages hosted on a secure server provides the customer with peace of mind. While an SSL is not technically required for DPM, if your merchant wants their customers to see HTTPS in the browser, this means that the merchant will need an SSL certificate. If acquiring an SSL certificate and hosting pages over HTTPS is a blocking issue, you should consider SIM instead.




For further reading, the Developer Center has more information about the Direct Post Method and also provides demos of the method in the Authorize.Net SDKs as well as in the quick start guides. If you have questions or run into problems implementing DPM, the forums are a great place to ask for help.

If you or your merchant need an even easier way to accept payments, there's the Simple Checkout Method. If you need a more advanced solution and are comfortable handling sensitive cardholder data, take a look at the Advanced Integration Method. If you want the best of both worlds, the Direct Post Method is for you.

 

 

 

---
Breck is a guest contributor for Authorize.Net