AUthorize.net CIM integration

[MotoDelta]

Has anyone written a module for Authorize.net CIM integration?

Looking to store customer cc info in a secure manner bypassing the offline credit-card functionality.

Thanks,

[DrByte]

The AIM module processes securely in real-time, but doesn't "store" CC numbers.

There is no CIM integration per se at this time.

[MotoDelta]

Thanks.

Maybe you could give me some thoughts about this...

We need to pass the cc information to a 3rd party distributor for billing. Is there ANY way to do that without using the offline cc module (and emailing the cc middle digits?).

Two reasons:

1. We've lost payment information (middle digits) here and there because of an email issue. If this happens on a significant scale (say 100 orders in a day) it would be a disaster!
2. email leaves a trail. (logs, etc..)
3. It's a fragile system. I'm concerned about the information being "out there"

[DrByte]

We need to pass the cc information to a 3rd party distributor for billing.

Care to explain this further?
And, is your site's privacy policy declaring that you're giving your customers' credit card info to someone else?
And have you confirmed with your bank that you're not violating your contract TOS by giving CC numbers away with or without your customers' knowledge?

[MotoDelta]

I'm a technical/software service provider not a shipper or store owner. The owner of the site (the "3rd party") does the billing, the consumers are not MY customers, they are the 3rd parties customers. The privacy policy is theirs, the customer is buying from and billed by them. Make sense?

So let me rephrase the question. I want to pass the store owner the credit-card information for his customers in some manner other than e-mail which isn't reliable enough in high-volumes. As I mentioned we experienced several dropped emails that resulted in customers having to be contacted by phone about it, and it's NOT a pleasant conversation. "Yes Mr. Customer, we need your credit-card information again because there was an email glitch." Right now it's just embarassing, if we're processing 100 orders via email and there's a bigger outage and all that information is lost, it's not embarassing, it's a TOTAL disaster.

Is there any alternative method that is secure for passing the cc information to the store owner other than the offline cc module ? What about using Authorize.net or some other secure method? Can I pass the information to them somehow for the store owner to retreive?

[DrByte]

A few thoughts ...

So let me rephrase the question. I want to pass the store owner the credit-card information for his customers in some manner other than e-mail which isn't reliable enough in high-volumes. As I mentioned we experienced several dropped emails that resulted in customers having to be contacted by phone about it...

So, you're telling me that you've been passing customer credit card information via email for hundreds of orders? YIKES!

Zen Cart is not designed to store credit card info nor to share it with 3rd parties other than for direct payment processing while the customer is actually in control of the transaction.
There are all kinds of credit card industry rules and regulations which need to be followed including high-tech encryption and major security precautions ... if you intend to store or share CC details. And such activity should never be done on a webserver connected to the internet. Ever. That's why Zen Cart doesn't do it ... and indeed doesn't need to do it.
A live transaction gateway such as Authorize.net AIM can handle the transaction in real time.

I'm a technical/software service provider not a shipper or store owner. The owner of the site (the "3rd party") does the billing, the consumers are not MY customers, they are the 3rd parties customers. The privacy policy is theirs, the customer is buying from and billed by them. Make sense?

Well ... given that *you* are collecting CC info from "customers", then ... well ... technically *you* are a storeowner, or, well, at least you're "operating" a store.

So ... if the customers aren't actually yours, why are you collecting CC details from them?

Now, if you're authorized to collect payments on behalf of the real storeowner, why don't you just ask the storeowner for *their* authorize.net account details so you can put them into your website and actually collect payment *for* them directly?
(I believe you can set up multiple users in Authorize.net to allow them to do different things such as collecting payment and perhaps not do any reporting or refunds etc ... you'd have to confer with the Authorize.net sales rep for verification and how-to on that.)

[MotoDelta]

Why is it that I have to review my entire business process model to get a single question answered. I'm trying to get a question answered to increase my security and what I get is an uninformed security consultation.

Let me ask you a question: You advertise zen-cart hosts here on your website. They operate the zen-cart sites for possibly hundreds of stores. Are you telling me that the offline credit-card payment capability is illegal for every single one of those installations? If passing the cc# middle digits by email is a problem, then WHY does the offline cc module do it? Didn't you write it? You say zen-cart isn't designed to store credit-card information but it's designed to do specifically that, that's standard off-the-shelf functionality in your software is it not? (minus the middle digits and cvv)

My customers are not using ANY functionality outside what YOU provided in the software in the manner that YOU intended.

The store is in control of the billing. They own the website, they run the store, I simply host it. How is that any different than 1000's of other operations? The only information being passed via email are those things you YOU designed in YOUR software.

So please, you tell me how using your software as designed is breaking laws....

[MotoDelta]

Wanted to follow up on this message: Is there a huge gap in communication here?

You said "Zen Cart is not designed to store credit card info" But it does. It stores everything but the middle 8 digits of the cc#

You said "you're telling me that you've been passing customer credit card information via email for hundreds of orders?" No, I'm saying if we do and those middle digits are lost, it would be a big problem.

I'm quite confused as to how this differers from one of any hundreds of hosted zen-cart installations out there with your preferred hosting providers.

[DrByte]

The store is in control of the billing. They own the website, they run the store, I simply host it. How is that any different than 1000's of other operations?

That's not how you described it initially.
If "they run the store" then why are you even looking at different ways to pass credit card information on to "them" for processing?

Your initial posts in this thread don't make it look like you're simply the host. You imply that somehow you are running a store as a middle-man to someone and collecting and sharing credit card data with a 3rd party unbeknownst to the customer.

ie:

Has anyone written a module for Authorize.net CIM integration?

Looking to store customer cc info in a secure manner bypassing the offline credit-card functionality.

Thanks,

Thanks.

Maybe you could give me some thoughts about this...

We need to pass the cc information to a 3rd party distributor for billing. Is there ANY way to do that without using the offline cc module (and emailing the cc middle digits?).

Two reasons:

1. We've lost payment information (middle digits) here and there because of an email issue. If this happens on a significant scale (say 100 orders in a day) it would be a disaster!
2. email leaves a trail. (logs, etc..)
3. It's a fragile system. I'm concerned about the information being "out there"

I'm a technical/software service provider not a shipper or store owner. The owner of the site (the "3rd party") does the billing, the consumers are not MY customers, they are the 3rd parties customers. The privacy policy is theirs, the customer is buying from and billed by them. Make sense?

So let me rephrase the question. I want to pass the store owner the credit-card information for his customers in some manner other than e-mail which isn't reliable enough in high-volumes. As I mentioned we experienced several dropped emails that resulted in customers having to be contacted by phone about it, and it's NOT a pleasant conversation. "Yes Mr. Customer, we need your credit-card information again because there was an email glitch." Right now it's just embarassing, if we're processing 100 orders via email and there's a bigger outage and all that information is lost, it's not embarassing, it's a TOTAL disaster.

Is there any alternative method that is secure for passing the cc information to the store owner other than the offline cc module ? What about using Authorize.net or some other secure method? Can I pass the information to them somehow for the store owner to retreive?

[DrByte]

You said "Zen Cart is not designed to store credit card info" But it does. It stores everything but the middle 8 digits of the cc#

Pardon me. I should have said it differently: Zen Cart is not designed to store complete credit card numbers on the webserver nor forward complete credit card numbers to any outside party other than a connected payment gateway while the customer is engaged in the transaction in real time."

As for collecting numbers for offline processing by forwarding partial numbers by email, that option has been available in the v1.x series, but is being removed from v2.0 onward due to increased complexities in security rules, not to mention PCI DSS "regulations".

You said "you're telling me that you've been passing customer credit card information via email for hundreds of orders?" No, I'm saying if we do and those middle digits are lost, it would be a big problem.

Sorry, I should have been more clear that I was asking a question.

My customers are not using ANY functionality outside what YOU provided in the software in the manner that YOU intended.

The intent has always been that the store owner would be processing the payment, not some unknown third party, especially if the customer doesn't know that some other party that the website owner is getting their payment information.