Comments on: Whoa. Authorize.net has a recurring billing API?

By: Robert Norton

Robert Norton — Thu, 29 Mar 2007 16:23:36 +0000

Doolally, just to clarify I was not stating that the CISP’s regulations and enforcement is lame, I was referring to something totally different (in regards to my blog).

As far as the strict policies, you have to jump through an unbelievable amount of hoops to get a merchant account for any reputable provider. Like getting some sort of loan, they audit banking history, credit reports, and on and on and on. I’m totally sympathetic to their wishes because after all, they truly do have the best intentions considering they are an independent organization.

By: Dan

Dan — Wed, 28 Mar 2007 20:10:55 +0000

I agree with that. If it weren’t for these strict policies, every 12 year old “web host” and “web designer” that could get a parent to sign off on a merchant account would be storing our payment information on their servers. Then we’d have more than 2.5 million stolen cards available for sale on any given day.

Authnet just sent out a mail today to their members announcing the recurring billing API availability.

By: doolally

doolally — Wed, 28 Mar 2007 17:12:28 +0000

What’s lame? The way credit card companies try to ensure their customers info is safe and secure?

By: Robert Norton

Robert Norton — Sat, 24 Mar 2007 15:20:04 +0000

That’s lame, thanks for the heads up though Dan.

By: LessThanHumble.com » Blog Archive » Spring Break, A Little Late

LessThanHumble.com » Blog Archive » Spring Break, A Little Late — Fri, 23 Mar 2007 17:11:59 +0000

[...] Whoa. Authorize.Net has a reoccuring billing API?” href=”http://www.dangrossman.info/2007/03/20/whoa-authorizenet-has-a-recurring-billing-api/”>DanGrossman.info > Whoa. Authorize.Net has a reoccuring billing API? [...]

By: Dan

Dan — Wed, 21 Mar 2007 20:26:57 +0000

It’s passed down through contractual obligation: VISA requires member banks that store cardholder data be held to certain standards and that their merchants be held to those standards. When they sign a company to provide merchant services underwitten by their bank, they in turn require that company to hold itself and its customers to those standards to meet the bank’s liability. Those merchant service providers in turn require the businesses they sign up, us, to hold to certain standards to meet their liability to the bank underwriting their accounts. There’s nothing mystical about it, it’s contract law.

This is right out of the contract that has to be signed to apply for a merchant account with CDG Commerce (they’re popular on SitePoint and WebHostingTalk’s forums):

14. Compliance With Laws And Rules. You agree to comply with all rules and operating regulations issued from time to time by MasterCard and Visa and any policies and procedures provided by Member or PROCESSOR (“Rules”). The Rules are incorporated into this Agreement by reference as if they were fully set forth in this Agreement. [...]

This is exactly why everyone *must* read contracts they sign. If you just skimmed over this, you could have no idea the liability you’re signing yourself up for. Visa can’t collect anything from you, but if you don’t meet Visa’s regulations, you’re in breach of this contract. And once you’re in court for breaching the contract, the company you did contract with, your merchant provider, can go after you for the fine they got hit with for your violation as consequential damages. But don’t quote me on that, I’m not a lawyer.

By: Jason

Jason — Wed, 21 Mar 2007 19:23:13 +0000

And how is the CISP? Why do they have the right to fine a company? Are they a government organization? From all my years on the internet, working for companies in the internet business, and selling stuff online, I have never heard of this before.

By: Dan

Dan — Tue, 20 Mar 2007 23:53:43 +0000

Con: The minimum fine if your server with the cardholder data is compromised and you don’t properly report it or aren’t CISP compliant at the time is $500,000. That gives you an idea of the scale of the liability here. Following all the CISP guidelines is just the beginning. You really don’t want to be storing cardholder data unless you’ve got big bucks and big security to make sure you do it right. That’s why it’s best left for the financial institutions prepared for that, like the payment gateways that the information passes through trillions of time a day.

By: Jason

Jason — Tue, 20 Mar 2007 23:20:05 +0000

Dan, do you have any more info on the pros and cons, or maybe an article, about storing credit card information vs. using a remote API?

By: Robert Norton

Robert Norton — Tue, 20 Mar 2007 14:49:34 +0000

It is awesome, though I am pretty sure it has been around for quiet some time.