Order processing best practices...

[Jonathan Franks]

Dear All,

This is slightly off topic but as the users of this list seem well
informed, I thought I might ask your advice....

I want to collect delivery and billing details on two separate pages and
then display a summary page with a make payment button.

My question is, how do I temporarily store the credit card details
between the billing and summary page without having to pass PCI DSS
compliance?

Any help would be appreciated. Kindest Regards, Jonathan.

[Benjamin Curtis]

You have two options:

1. Use a CC processor like TrustCommerce or BrainTree that allows you
to store the information with them and get a reference ID back for
charging the card later.
2. Simply authorize the card as soon as the payment info is collected
and get a reference ID for capturing the amount later.

----
Benjamin Curtis
http://catchthebest.com/ - Track, share, and rate incoming resumes
http://www.bencurtis.com/ - Personal blog

[Jonathan Franks]

Thanks for the advice! So, its not possible to securely store the card
details in the session, without then having to pass PCI DSS compliance??

[Danimal]

Jonathan,

I'd recommend just using Authorize, then Capture. It fits nicely with
your two-step checkout anyway. And you don't need to store anything
other than the auth transactionID... keep that in the session or as a
hidden post field between step 1 and 2. The nice thing is that
Braintree enforces that the transactionID can _only_ be used to
capture that auth, so it can't be abused even if it can be "grabbed"
or "read" somehow.

The vault is probably more hassle since you really just need the two-
step separation rather than deferred or recurring charge capability.

-Dan

On Feb 11, 9:42 am, Jonathan Franks <jonat...@ifranks.com> wrote:
> Thanks for the advice! So, its not possible to securely store the card
> details in the session, without then having to pass PCI DSS compliance??
>
> Benjamin Curtis wrote:
> > You have two options:
>

> > 1. Use a CC processor like TrustCommerce orBrainTreethat allows you

> > to store the information with them and get a reference ID back for
> > charging the card later.
> > 2. Simply authorize the card as soon as the payment info is collected
> > and get a reference ID for capturing the amount later.
>
> > ----
> > Benjamin Curtis

> >http://catchthebest.com/- Track, share, and rate incoming resumes
> >http://www.bencurtis.com/- Personal blog

[Jonathan Franks]

Thanks for the advice Dan.

The only problem that I see with that technique is..... as far as I
understand it, if the user wants to change something about the order on
the summary page (shipping, shopping cart contents), and the total
amount goes over a certain threshold (with protx, its 115%), then we
would need to re-authorize the card and so the user would have to
re-enter their card details. Am I right?? or am I missing something?

Thanks again,

Jonathan

[Cody Fauser]

Jonathan,

If you're using a gateway that supports reference transactions and you
go over the 115% then you would run a new reference authorization
based on the initial authorization.

--
Cody Fauser
http://shopify.com - e-commerce done right
http://www.codyfauser.com - blog
http://peepcode.com/products/activemerchant-pdf - ActiveMerchant PeepCode
http://www.oreilly.com/catalog/rjsrails - RJS Templates for Rails

[Jonathan Franks]

I didn't know that I could do that! great - perfect solution.

My only remaining concern - when I do the auth, a shadow is placed on
the cardholder's account. If they then navigate away, the shadow is
left. Will they have problems using there card if they try to use some
of the 'shadowed funds'??

Thanks for everyones help and advice!

[James]

Hello,

I am in the same situation and wondering how to create a new reference
authorization using ActiveMerchant in case the customer increases or
decreases the purchase amount > 115% (using Authorize.net).

I would imagine you would have a method authorize() which takes an
authorization# but I could find anything like that.

Thanks,
James

On Feb 27, 11:48 am, Jonathan Franks <jonat...@ifranks.com> wrote:
> I didn't know that I could do that! great - perfect solution.
>
> My only remaining concern - when I do the auth, a shadow is placed on
> the cardholder's account. If they then navigate away, the shadow is
> left. Will they have problems using there card if they try to use some
> of the 'shadowed funds'??
>
> Thanks for everyones help and advice!
>
> Cody Fauser wrote:
> >Jonathan,
>
> > If you're using a gateway that supports reference transactions and you
> > go over the 115% then you would run a new reference authorization
> > based on the initial authorization.
>

> > On Wed, Feb 27, 2008 at 3:44 AM,JonathanFranks<jonat...@ifranks.com> wrote:
>
> >>  Thanks for the advice Dan.
>
> >>  The only problem that I see with that technique is..... as far as I
> >>  understand it, if the user wants to change something about the order on
> >>  the summary page (shipping, shopping cart contents), and the total
> >>  amount goes over a certain threshold (with protx, its 115%), then we
> >>  would need to re-authorize the card and so the user would have to
> >>  re-enter their card details. Am I right?? or am I missing something?
>
> >>  Thanks again,
>
> >>  Jonathan
>
> >>  Danimal wrote:
> >>  >Jonathan,
>
> >>  > I'd recommend just using Authorize, then Capture. It fits nicely with
> >>  > your two-step checkout anyway. And you don't need to store anything
> >>  > other than the auth transactionID... keep that in the session or as a
> >>  > hidden post field between step 1 and 2. The nice thing is that
> >>  > Braintree enforces that the transactionID can _only_ be used to
> >>  > capture that auth, so it can't be abused even if it can be "grabbed"
> >>  > or "read" somehow.
>
> >>  > The vault is probably more hassle since you really just need the two-
> >>  > step separation rather than deferred or recurring charge capability.
>
> >>  > -Dan
>

> >>  > On Feb 11, 9:42 am,JonathanFranks<jonat...@ifranks.com> wrote:
>
> >>  >> Thanks for the advice! So, its not possible to securely store the card
> >>  >> details in the session, without then having to pass PCI DSS compliance??
>
> >>  >> Benjamin Curtis wrote:
>
> >>  >>> You have two options:
>
> >>  >>> 1. Use a CC processor like TrustCommerce orBrainTreethat allows you
> >>  >>> to store the information with them and get a reference ID back for
> >>  >>> charging the card later.
> >>  >>> 2. Simply authorize the card as soon as the payment info is collected
> >>  >>> and get a reference ID for capturing the amount later.
>
> >>  >>> ----
> >>  >>> Benjamin Curtis

> >>  >>>http://catchthebest.com/-Track, share, and rate incoming resumes
> >>  >>>http://www.bencurtis.com/-Personal blog

[Cody Fauser]

James,

Authorize.net doesn't support reference transactions yet in
ActiveMerchant. However, it looks like the support for the
Authorize.net CIM is almost ready. This would allow you to store
perform this type of reauthorization, but you'd have to sign up for
the service with Authorize.net and pay slightly more every month.

--

[James]

Thanks Cody.

In that case this is what I gather you can:
1. store credit card numbers offsite (for a fee)
2. Store them yourself (liability)
3. do auth/capture not to exceed 115% (authorize.net)
4. change gateways or wait for new functionality

btw I picked up the activemerchant peepcode book, I would definitely
recommend it to everyone.
I might switch to the gateway you recommended since we are not live
with authorize.net

-James