Jump to content
Sign in to follow this  
lisath

How do we grab cc numbers with Authorize.net?

Recommended Posts

Hi, I'm using Authorize.net on this site: www.moplants.com.

 

I know that they mask numbers on their merchant interface, but the fulfillment house and the client I'm working for want to grab the cc numbers so they're not restricted to doing returns within Authorize.net's time parameters.

 

Authorize.net has told me that it is possible to grab the numbers while the transaction is being processed, but of course they haven't told me how to do that.

 

Can anybody help me out?

 

thanks!

Share this post


Link to post
Share on other sites

reason they havent told you how to do this is cuz it is against their policy and most likely your merchant account. lots of companies will cancel you if you store the cc info.


John Oligario

 

Knowledge Base Contributions

Share this post


Link to post
Share on other sites
reason they havent told you how to do this is cuz it is against their policy and most likely your merchant account.  lots of companies will cancel you if you store the cc info.

 

No, actually, I specifically asked them if I was prohibited by our agreement from getting the cc number because others had told me that it was a violation. They said that I was not prohibited, but that I needed to know how to do it--they weren't able or willing to tell me how to do that using osCommerce.

Share this post


Link to post
Share on other sites
No, actually, I specifically asked them if I was prohibited by our agreement from getting the cc number because others had told me that it was a violation. They said that I was not prohibited, but that I needed to know how to do it--they weren't able or willing to tell me how to do that using osCommerce.

 

call again and speak to someone else. It's in their printed material and against their TOS.

Share this post


Link to post
Share on other sites
call again and speak to someone else. It's in their printed material and against their TOS.

 

This is excerpted from my email to Customer Support and their reply:

from me:

**

"Thank you for your reply. I understand from reading it that I cannot access credit card numbers via your Merchant Interface. However, I am wondering two things: 1) under the terms of our agreement with you are we able to grab the credit card numbers ourselves during the transaction, and 2) if so, are we capable of doing so?"

**

reply:

**

"Greetings from Authorize.Net!

 

Yes, you are able to grab the credit card numbers yourselves during the transaction request. As to whether you are capable of it, that depends.

 

I know that osCommerce is an open source shopping cart. What that means is that you would need a web developer capable of writing the code that would access the credit card number as it is input during the transaction process."

**

 

That seems pretty explicit. But if you think this person is wrong then I guess I should call and talk with somebody by phone. Otherwise, perhaps osCommerce doesn't have this capability?

 

in deep appreciation of your help,

Lisa

Share this post


Link to post
Share on other sites
This is excerpted from my email to Customer Support and their reply:

from me:

**

"Thank you for your reply. I understand from reading it that I cannot access credit card numbers via your Merchant Interface. However, I am wondering two things: 1) under the terms of our agreement with you are we able to grab the credit card numbers ourselves during the transaction, and 2) if so, are we capable of doing so?"

**

reply:

**

"Greetings from Authorize.Net!

 

Yes, you are able to grab the credit card numbers yourselves during the transaction request.  As to whether you are capable of it, that depends. 

 

I know that osCommerce is an open source shopping cart.  What that means is that you would need a web developer capable of writing the code that would access the credit card number as it is input during the transaction process."

**

 

That seems pretty explicit. But if you think this person is wrong then I guess I should call and talk with somebody by phone. Otherwise, perhaps osCommerce doesn't have this capability?

 

in deep appreciation of your help,

Lisa

 

Anyone have an answer to this?? I also have a client that really wants (demanding) to record the credit card numbers. I've tried to tell them no, but they insist. So is it against the TOS? Is it legal? And more importantly, is it possible?

 

Thanks!

 

Brian

Share this post


Link to post
Share on other sites

please, bumping not allowed in the forum. you need to check your agreement with authorize.net, as if i am not mistaken it is illegal to do what you are trying to accomplish. in fact just about all merchant accounts the agreement is that way.

 

this has also been discussed many times in this forum, searching will give you a few threads on this.


John Oligario

 

Knowledge Base Contributions

Share this post


Link to post
Share on other sites

I know there seems to be almost universal belief that this is not allowed, however I just called Authorize.net to verify it one way or another. They said that getting the credit card numbers is NOT against our agreement, and NOT illegal. They don't recommend it, and they won't tell me how, but it is something I'm allowed to do.

 

If you have an account with them, you can call 1-877-447-3938 to verify this for yourself.

 

Which leads me back to the question: Does anybody know how to do this?

 

thanks...!

 

please, bumping not allowed in the forum.  you need to check your agreement with authorize.net, as if i am not mistaken it is illegal to do what you are trying to accomplish.  in fact just about all merchant accounts the agreement is that way.

 

this has also been discussed many times in this forum, searching will give you a few threads on this.

Share this post


Link to post
Share on other sites

I know this might be frowned upon, but I'm afraid I drowned my reply by leaving my last reply about bumping. I'm copying my earlier message below to make sure people see it.

 

By the way, what is "bumping"?

 

Earlier message*

I know there seems to be almost universal belief that this is not allowed, however I just called Authorize.net to verify it one way or another. They said that getting the credit card numbers is NOT against our agreement, and NOT illegal. They don't recommend it, and they won't tell me how, but it is something I'm allowed to do.

 

If you have an account with them, you can call 1-877-447-3938 to verify this for yourself.

 

Which leads me back to the question: Does anybody know how to do this?

 

thanks...!

*

Share this post


Link to post
Share on other sites

"Bumping" is replying to a forum thread just to get it to go to the top of the list of unread threads. I apologize for bumping the thread, I didn't realize it was against forum policies.

 

My client that wants to record the credit card number called her bank and they said it is ok with them and that she should contact her webmaster (me) to get it done.

 

So, if authorize.net says it's OK and the bank says it's OK, is there a way to do it? I'm an ok programmer, but haven't had much luck getting this to work. Any ideas on where to start?

Share this post


Link to post
Share on other sites
So, if authorize.net says it's OK and the bank says it's OK, is there a way to do it?  I'm an ok programmer, but haven't had much luck getting this to work.  Any ideas on where to start?

 

Well, because I was unable to answer this question, and for several glitches that occured, my client yesterday decided to drop this cart which she had paid for already and to bring in another developer to install Miva instead. She says that she lost confidence and had too much riding on this to have a cart that couldn't be counted on.

 

I think this is a good product, but the documentation is so sparse, and finding answers so random (hoping somebody will answer a post), that it's hard to be fully responsive to a client. I feel terrible that I've let my client down and don't think I would use osCommerce again for that reason.

 

Thanks for the replies to this thread. And good luck to the people trying to answer this question.

Share this post


Link to post
Share on other sites

an authorize support tech actually told me an option i have (we have big orders/ over 5k each) is to grab the numbers before we send it to the gateway so we can do aditional checks on the cards (ie call the bank)...

 

so i don't see whats the problem here...


Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix

Share this post


Link to post
Share on other sites

btw.. i'm working on a contrib that would join ccgpg & authorize... don't know if i'll be able to but i'll try ;)


Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix

Share this post


Link to post
Share on other sites

i managed to get the cc.php run the ccgpg.php code... now all i need is an authorize account so i can start on it... (in about a week or 2)


Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix

Share this post


Link to post
Share on other sites

done...

 

preview :

 

authgpg.gif

 

building contrib, posting it as soon as its ready.

 

next update :

 

1) add bank phone number input field to the checkout

 

2) add a copy button(javascript) next to the data (gpg encrypted text) box to copy the contents to the clipboard (no need to select text & copy). any better ideas here?

 

3) add a delete button to clear the data field (security reasons...)


Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix

Share this post


Link to post
Share on other sites

I have this contrib working now... but, how the heck do I decode the gpg data that appears in admin/orders ?

 

RonR

Share this post


Link to post
Share on other sites

if you would take a look at your agreement you signed with authorize.net, you will find you are breaking the agreement you have with them, and stand a chance of having your account terminated and you will lose any deposit, etc you have with them, and have no recourse. and it could black flag you with other merchant accounts if that happens.


John Oligario

 

Knowledge Base Contributions

Share this post


Link to post
Share on other sites
I know this might be frowned upon, but I'm afraid I drowned my reply by leaving my last reply about bumping. I'm copying my earlier message below to make sure people see it.

Earlier message*

I know there seems to be almost universal belief that this is not allowed, however I just called Authorize.net to verify it one way or another. They said that getting the credit card numbers is NOT against our agreement, and NOT illegal. They don't recommend it, and they won't tell me how, but it is something I'm allowed to do.

 

If you have an account with them, you can call 1-877-447-3938 to verify this for yourself.

 

Which leads me back to the question: Does anybody know how to do this?

 

thanks...!

*

It's not so much Authorize.net as Visa/MC (and probably the rest). There are recent changes to their policies in response to the identity theft problems of late. I think the cut-off for strict adherence is merchants doing 20K annually or less. Under that they let the acquirer set the policies and they are generally lenient because they want your business. Other than that, storing of credit card numbers has always been frowned upon. The biggest problem with capturing them (which is very easy to do) is handling them in such a way that doesn't negate the security of the transaction. Authorize.net can say they don't care all day long; it won't necessarily protect the merchant from the liability of carelessly handling their customer's financial information. It's a bad practice, but if they are low volume they will probably be ok, at least until someone tells the bank that all those fraudulent charges on their card occurred right after they shopped at your client's web site ;).

 

David

Share this post


Link to post
Share on other sites
if you would take a look at your agreement you signed with authorize.net, you will find you are breaking the agreement you have with them, and stand a chance of having your account terminated and you will lose any deposit, etc you have with them, and have no recourse.  and it could black flag you with other merchant accounts if that happens.

 

I'm not sure where you got your information. Here's an exerpt from their agreement:

 

4.1  Merchant Obligations. You are solely responsible for the security of data residing on server(s) owned or operated by You, or a third party designated by You (e.g., a web hosting company, processor, or other service provider). You shall comply with all applicable laws and regulations governing the security, collection, retention and use by You of financial information, including credit cards, and all other personally identifiable customer information. You agree to provide notice to your customers on Your web site that discloses how and why personal and financial information is collected and used, including uses governed by this Agreement. Nothing in this Agreement shall prevent or restrict You from using any information You collect or receive independent of Your performance under this Agreement.

 

LIMITATIONS OF LIABILITY AND DISCLAIMERS.

11.1  DISCLAIMER. AUTHORIZE.NET EXPRESSLY DISCLAIMS ANY LIABILITY FOR LOSS ARISING FROM OR RELATED TO THE AUTHORIZE.NET SERVICES, MERCHANT SERVICE PROVIDERS, THIRD PARTY PROCESSORS, OR THIS AGREEMENT (HOWEVER ARISING, INCLUDING NEGLIGENCE), INCLUDING WITHOUT LIMITATION, LIABILITY OR LOSS ASSOCIATED WITH: YOUR FAILURE TO PROPERLY ACTIVATE OR INTEGRATE YOUR MERCHANT ACCOUNT; OR UNAUTHORIZED ACCESS TO YOUR DATA OR YOUR CUSTOMER DATA (INCLUDING CREDIT CARD NUMBERS AND OTHER PERSONALLY IDENTIFIABLE INFORMATION), A MERCHANT INTERFACE, YOUR WEBSITE, A SERVER, OR A FACILITY, DUE TO ACCIDENT, ILLEGAL OR FRAUDULENT MEANS INCLUDING HACKING, OR DEVICES USED BY ANY THIRD PARTY, OR OTHER CAUSES BEYOND AUTHORIZE.NET'S REASONABLE CONTROL. YOU EXPRESSLY AGREE THAT AUTHORIZE.NET SHALL NOT BE LIABLE FOR ANY LOSS ARISING FROM: (I) A THIRD PARTY'S INFILTRATION OF AUTHORIZE.NET SERVICES, SYSTEMS OR WEBSITE BY ANY MEANS, INCLUDING WITHOUT LIMITATION, VIA DDOS ATTACKS, SOFTWARE VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS, OR ANY OTHER SOFTWARE PROGRAMS, OR TECHNOLOGY; (II) DISRUPTION, DAMAGE, INTERCEPTION, UNAUTHORIZED ACCESS TO OR EXPROPRIATION OF THE AUTHORIZE.NET SERVICES, OR ANY SYSTEM, PROGRAM, DATA, TRANSACTION OR PERSONAL INFORMATION BELONGING TO AUTHORIZE.NET, YOU OR ANY THIRD PARTY; (III) THE LIMITATION OF THE FUNCTIONING OF ANY SOFTWARE, HARDWARE, EQUIPMENT OR SERVICE; OR (IV) ACTIONS OR INACTIONS BY ANY THIRD PARTY, INCLUDING WITHOUT LIMITATION, A MERCHANT SERVICE PROVIDER, PAYMENT PROCESSOR OR BANK. AUTHORIZE.NET EXPRESSLY DISCLAIMS ANY LIABILITY FOR THE INDIVIDUAL MERIT AND LEGITIMACY OF ORDERS FORWARDED FROM YOU AND FOR ANY AND ALL CLAIMS OF LOSS AND/OR FRAUD INCURRED RESULTING FROM THE USE OF OR CONCLUSIONS DRAWN FROM THE DATA PROVIDED BY THE FRAUDSCREEN.NET SERVICE.

 

No where does this say anything about storing cc numbers. If you have a different agreement I'd like to see it.

 

Besides I did go to all this trouble to encrypt !

 

RonR

Share this post


Link to post
Share on other sites

Here's the reason that I want to capture the cc info.

 

I have products that are backordered and will not ship for 30-60 days. These are $500 items in limited supply and I take pre-orders from customers. I want to take thier cc and authorize but then complete the charge when it ships.

 

I am using Authorize.net's "Authorized/Pending Capture" to authorize only and I will then complete the charge when the item ships. The problem is that Auth.net will only hold these cc transactions for "about" 30 days then it will be purged.

 

I need a way to charge their cc's if Auth.net's time limit runs out, hence the need to capture cc info.

 

If there is another way to do this I'd sure like to know about it.

 

RonR

Share this post


Link to post
Share on other sites
I'm not sure where you got your information.  Here's an exerpt from their agreement:

No where does this say anything about storing cc numbers.  If you have a different agreement I'd like to see it.

 

Besides I did go to all this trouble to encrypt !

 

RonR

Strong encryption would definitely be a must if you were going to store them. Just to be clear though, it's really the agreement with the merchant account holder that I would consult, not Authorize.net. They are just the gateway in between. Your obligation is to the merchant account and their bank - they are responsible for communicating the current policies from Visa/MC. I think Amex and Discover have separate agreements with merchants.

 

If it were me, I would run it by them first. However, if you are careful and can demonstrate that you used all due caution, encryption, etc in case of an audit, and if you dispose of the information after the sale, I doubt there would be much of a problem. That's purely speculation so take it for what it is worth B).

 

David

Share this post


Link to post
Share on other sites

Thank you for the inputs Dave. I appreciate your inputs and will certainly consider all the issues.

 

This is still kinda funny... I can encrypt but still can't decrypt. :P

 

RonR

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×