Note: this is a potentially a non-trivial feature request and no I’m not asking for someone to do it for me. I’m looking for: guidance, feedback, and potentially someone to hire to complete if I simply cannot do it myself while juggling my other job responsibilities.

Background

PCI compliance can be a deal breaker when exploring cloud hosting options. It can also add significant costs, delay roll out, and force customers to cut back features. Yes, there are solutions that can significantly reduce the PCI Compliance responsibilities. An example is Authorize.net SIM (Drupal Ubercart module here http://drupal.org/project/ucauthorizenetsimdpm), which essentially redirects you away during the payment process and brings you back. This places much of the burden on Authorize.net.

However, if you’re running a site that requires a recurring payment and/or storing customer payment information, authorize.net CIM really seems like the way to go. It’s been critical for debugging purpose, refunds, additional charges, etc.

By default, these two needs conflict. Because the payment is technically being processed before Drupal before being sent to Authorize.net, there is the chance that a module can tie into said form, record it, and do something nefarious. Using Authorize.net DPM, although directly posting to the site, is not completely immune to this either. At a first glance, the only way to avoid the major of one’s PCI responsibilities is stick with SIM.

However, it is possible to create a hosted version of Authorize.net CIM (http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/). In doing so, you could provide a user with one of 3 options: redirect to authorize.net, a modal popup, or an iframe within the page itself. In all cases, it’s authorize.net creating the form and therefore it places the a majority of the PCI responsibility back onto Authorize.net.

An iframe, IMHO, would rule. It would give you all the features of CIM without all of the PCI troubles. Unfortunately, I’m not aware of a module that adds this functionality.

Goal

The goal is an extension of the uc_authorize.net module. The exact feature would be a checkbox in the CIM settings (next to the login credentials) that would allow one to replace the ubercart portion of the checkout form with the authorize.net form.

Concerns and Considerations

Sounds simple, but I can already think of many possible issues:

  • Since authorize.net CIM has an address verification system (AVS), does the address field also need to be replaced? If so, does the response from the servers give it back to us in a meaningful way.
  • Taxes require access to the address fields. Does authorize.net have a means to calculate that as well (I’m assuming no).
  • Free payment method. Can we use the form ajax system to make it go away if the subtotal drops to zero and we now have a free payment (again, I’m assuming no)

Unless I’m missing something, this may also be a no go.

Backup Plan: Redirect

If instead of keeping them all on site, how difficult would it be to employ an SIM like redirect for the CIM module? Would it simply be a matter or replicating ucauthorizenetsimdpm?

Feedback

Again, feedback is appreciated and this issue may simply just close down because there is no elegant solution. But if there is, I’m all ears. Also, if there are other trouble spots, please put them down as well.

Authorize.net Specifics

Comments

mcfilms’s picture

@rickmanelius I am curious if you made any progress on this feature. Clearly shifting the storage of credit cards to Authorize.net makes sense.

The scenario that makes the most sense in my mind is to still run everything through Drupal. So taxes, shipping costs, address verification and all that remain in the Drupal/Ubercart system. But along with the user's account there is a checkbox that says, "store this credit card on the secure server for future purchase." (Or something like that.) When that flag is set, a visit to the checkout page will either pre-fill or allow select menus (with the last 4 digits) for the payment method.

Of course this is easier said than done. Have you found anything like this for either UC or Commerce?

rickmanelius’s picture

Hi @mcfilms.

I've been evaluating this for both Ubercart and Commerce and have a working plan for commerce. At this stage in the game, I don't think I can commit to doing this for ubercart as we're making the transition over to Commerce in the near future.

One of the workflow issues will be in no longer allowing anonymous checkout. While it's technically possible to use a token and reference the anonymous user by session ID, it's not preferable and can result in some frustration points if the session is dropped and the user wants to complete the checkout process, etc.

So the answer is "yes" it's being worked on, "no" it's probably not happening for ubercart, and "I'm working on it" in terms of when this will happen :)

TR’s picture

@mcfilms: There are several modules that can provide some CIM integration for Ubercart:
http://drupal.org/project/uc_authnet
http://drupal.org/project/uc_cim

If you're interested in this feature, please contribute to those.

mcfilms’s picture

Thank you both.

I am the very beginning of a project, so I have multiple possibilities:

1.)The client suggested building the whole project in Magento - but I'm not sure how well it will expand with new features or if it will support the multiple roles as the site requires.

2.) Use Ubercart - at this stage the retrieval of credit card numbers seems to be the biggest stumbling block. Although I appreciate both of the links TR posted, it would be ideal to find something that was out of Beta and on D7 (But maybe I could throw some love toward this feature set and get it in D7). The Magento add-in to do this is $195, so i know I have at least that in the budget.

3.) Use Commerce, which is a whole new ballgame for me. There are probably features missing that I'm not even aware of yet. If I do go this route I'd like to see if I can somehow combine efforts with rickmanelius' efforts.

The start of a project is always so fun. All the potential and none of the agonizing, "...but I thought this was supposed to work this way..."

m.stenta’s picture

Regarding comment #3 above, my friend and I have recently taken over maintainership of uc_cim, and we're currently debating whether or not it's worth continuing.

We have started a sandbox Authorize.net API module, which is currently in development. It uses the Authorize.net SDK and will provide API wrapper functions for all the necessary functionality. Currently it provides MOST of the functions for CIM, and the rest should be added within the next few days.

Our plan is to create an authnet_uc module for Ubercart integration, and an authnet_commerce module for Commerce integration. If you are interested in helping, please contact me, or join in discussion on the issue queue. I plan to promote it to a full project soon.

rickmanelius’s picture

Hi m.stenta,

When you say "most" functions of CIM, do you plan/intend on using the hosted CIM capabilities? The reason I ask is that 's the main motivation in this issue, to use an outsourced payment solution without redirect in order to achieve PCI SAQ A.

m.stenta’s picture

What I meant was, in it's current state (which is still in development), it provides wrapper functions for most of the methods that Authorize.net's API provides. The only thing it's missing right now is the ability to save a transaction (a big deal, I know, but expect it to be there in the next few days).

When you say "hosted" CIM... I think you actually mean SIM. CIM is Authorize.net's "Customer Information Manager" which simply provides the ability to keep track of customer information within Authorize.net (including credit cards) so that you don't have to keep track of it in your own database (to be PCI compliant). SIM is a service that Authorize.net provides that allows you to use Authorize.net's checkout process, rather than using Ubercart or Commerce's. SIM uses CIM, as far as I know, but conceptually it is a different thing.

Ultimately, I'd like to add support for SIM to the new module, but it isn't there yet. You may want to look into the following modules, which claim to provide support for SIM in Ubercart/Commerce (I haven't looked into either myself):

https://drupal.org/project/uc_authorizenet_simdpm
https://drupal.org/project/commerce_authnet_simdpm

Sorry, I forgot to post a link to the sandbox project in my previous comment. Here it is: https://drupal.org/sandbox/mstenta/1665924

Edit: Sorry again... some of this information is redundant and it appears that you already knew about it. I admit that I didn't fully read the issue summary before posting. Just thought I'd share the new module with you as well. ;-)

TR’s picture

@m.stenta: I'd strongly encourage you to write your module using the http://drupal.org/project/payment API, for all the reasons mentioned on that project page.

m.stenta’s picture

Thanks TR, I'll definitely look into that. Currently, we are focusing on 6.x because that's what both our clients are using, but we are designing it in a way to be a very general Authorize.net API... so a 7.x version will be trivial.

Soon, we will start developing companion modules that provide integration between the new Authnet module and Ubercart/Commerce. At that point, we'll make sure that we do it in a way that makes it compatible with the Payment API in the 7.x branch.

m.stenta’s picture

Update! You may want to look into the new 7.x-2.x branch of the Ubercart Authorize.net Payment Gateway module. It is a complete rewrite, leveraging the Authorize.net API project.

longwave’s picture

Status: Active » Fixed

It is unlikely any of these improvements will make it into Ubercart core, so anyone interested in these features is better off following the links in #10.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.