10

Whoa. Authorize.net has a recurring billing API?

March 20, 2007

I was days away from signing up for a new payment gateway, maybe a new merchant account to get access to it, for a recurring payment API. The credit card subscriptions for W3Counter are a mess because it’s all done manually — Authorize.net didn’t have an API for their recurring billing feature, and I wasn’t willing to take the liability of storing payment information on my server to make the monthly charges.

Then I revisited SitePoint’s forums, where I’m only active about 3/4 of the year. I spend a lot more time there when I’m working than when I’m in school, and have only been checking private messages there regularly.

I read a post by stymiee, one of my favorite members and another great contributor to the forums there, and noticed his signature: Authorize.Net releases their Recurring Billing API – GET THE CODE. I was amazed. Authorize.net had created a recurring billing API and not even mentioned it in the announcements list that shows up whenever I log in to my account there.

I’m very, very excited about this. I don’t have to switch gateways, and I can get W3Counter’s accounts in order. The only way that was ever going to happen is with automation which I can now do. So, along with a server move, I’ll be upgrading the upgrade code. Things are looking up for the hosted service.

That makes this a good time to provide a little update on the downloadable version… it’s falling behind. These past three months haven’t provided as much free time as I had hoped. I took way too many classes to devote the time to a big project considering I need a decent amount of time just to keep the whole business running. The process of finding a new job sucked up a good bit as well, and getting ready to move is taking up some of the free time I have right now during finals week (the rest goes to studying for finals and completing final projects and papers, of course).

I’d like to get back to it and finish it since there’s still demand for the product, but I can’t put a date on it. I am actually hoping to see an increase in “free time” after moving to the west coast simply due to the time zone change. If I can start my days early enough to leave work before 4:30ish, I’d be able to join the occasional World of Warcraft raid on an east coast server to relax (or a few rounds of Gears of War on the XBOX 360 which I’ve finally gotten around to turning on once or twice), then still have hours left afterwards to get something done.

Categorized under: Development, W3Counter

10 comments

  1. March 20th, 2007

    Robert Norton wrote —

    It is awesome, though I am pretty sure it has been around for quiet some time.

  2. March 20th, 2007

    Jason wrote —

    Dan, do you have any more info on the pros and cons, or maybe an article, about storing credit card information vs. using a remote API?

  3. March 20th, 2007

    Dan wrote —

    Con: The minimum fine if your server with the cardholder data is compromised and you don’t properly report it or aren’t CISP compliant at the time is $500,000. That gives you an idea of the scale of the liability here. Following all the CISP guidelines is just the beginning. You really don’t want to be storing cardholder data unless you’ve got big bucks and big security to make sure you do it right. That’s why it’s best left for the financial institutions prepared for that, like the payment gateways that the information passes through trillions of time a day.

  4. March 21st, 2007

    Jason wrote —

    And how is the CISP? Why do they have the right to fine a company? Are they a government organization? From all my years on the internet, working for companies in the internet business, and selling stuff online, I have never heard of this before.

  5. March 21st, 2007

    Dan wrote —

    It’s passed down through contractual obligation: VISA requires member banks that store cardholder data be held to certain standards and that their merchants be held to those standards. When they sign a company to provide merchant services underwitten by their bank, they in turn require that company to hold itself and its customers to those standards to meet the bank’s liability. Those merchant service providers in turn require the businesses they sign up, us, to hold to certain standards to meet their liability to the bank underwriting their accounts. There’s nothing mystical about it, it’s contract law.

    This is right out of the contract that has to be signed to apply for a merchant account with CDG Commerce (they’re popular on SitePoint and WebHostingTalk’s forums):

    14. Compliance With Laws And Rules. You agree to comply with all rules and operating regulations issued from time to time by MasterCard and Visa and any policies and procedures provided by Member or PROCESSOR (“Rules”). The Rules are incorporated into this Agreement by reference as if they were fully set forth in this Agreement. [...]

    This is exactly why everyone *must* read contracts they sign. If you just skimmed over this, you could have no idea the liability you’re signing yourself up for. Visa can’t collect anything from you, but if you don’t meet Visa’s regulations, you’re in breach of this contract. And once you’re in court for breaching the contract, the company you did contract with, your merchant provider, can go after you for the fine they got hit with for your violation as consequential damages. But don’t quote me on that, I’m not a lawyer.

  6. March 24th, 2007

    Robert Norton wrote —

    That’s lame, thanks for the heads up though Dan.

  7. March 28th, 2007

    doolally wrote —

    What’s lame? The way credit card companies try to ensure their customers info is safe and secure?

  8. March 28th, 2007

    Dan wrote —

    I agree with that. If it weren’t for these strict policies, every 12 year old “web host” and “web designer” that could get a parent to sign off on a merchant account would be storing our payment information on their servers. Then we’d have more than 2.5 million stolen cards available for sale on any given day.

    Authnet just sent out a mail today to their members announcing the recurring billing API availability.

  9. March 29th, 2007

    Robert Norton wrote —

    Doolally, just to clarify I was not stating that the CISP’s regulations and enforcement is lame, I was referring to something totally different (in regards to my blog).

    As far as the strict policies, you have to jump through an unbelievable amount of hoops to get a merchant account for any reputable provider. Like getting some sort of loan, they audit banking history, credit reports, and on and on and on. I’m totally sympathetic to their wishes because after all, they truly do have the best intentions considering they are an independent organization.

    10. View Comments:

Leave a Comment