Note: this is a potentially a non-trivial feature request and no I’m not asking for someone to do it for me. I’m looking for: guidance, feedback, and potentially someone to hire to complete if I simply cannot do it myself while juggling my other job responsibilities.
PCI compliance can be a deal breaker when exploring cloud hosting options. It can also add significant costs, delay roll out, and force customers to cut back features. Yes, there are solutions that can significantly reduce the PCI Compliance responsibilities. An example is Authorize.net SIM (Drupal Ubercart module here http://drupal.org/project/ucauthorizenetsimdpm), which essentially redirects you away during the payment process and brings you back. This places much of the burden on Authorize.net.
However, if you’re running a site that requires a recurring payment and/or storing customer payment information, authorize.net CIM really seems like the way to go. It’s been critical for debugging purpose, refunds, additional charges, etc.
By default, these two needs conflict. Because the payment is technically being processed before Drupal before being sent to Authorize.net, there is the chance that a module can tie into said form, record it, and do something nefarious. Using Authorize.net DPM, although directly posting to the site, is not completely immune to this either. At a first glance, the only way to avoid the major of one’s PCI responsibilities is stick with SIM.
However, it is possible to create a hosted version of Authorize.net CIM (http://www.authorize.net/solutions/merchantsolutions/merchantservices/cim/). In doing so, you could provide a user with one of 3 options: redirect to authorize.net, a modal popup, or an iframe within the page itself. In all cases, it’s authorize.net creating the form and therefore it places the a majority of the PCI responsibility back onto Authorize.net.
An iframe, IMHO, would rule. It would give you all the features of CIM without all of the PCI troubles. Unfortunately, I’m not aware of a module that adds this functionality.
The goal is an extension of the uc_authorize.net module. The exact feature would be a checkbox in the CIM settings (next to the login credentials) that would allow one to replace the ubercart portion of the checkout form with the authorize.net form.
Concerns and Considerations
Sounds simple, but I can already think of many possible issues:
- Since authorize.net CIM has an address verification system (AVS), does the address field also need to be replaced? If so, does the response from the servers give it back to us in a meaningful way.
- Taxes require access to the address fields. Does authorize.net have a means to calculate that as well (I’m assuming no).
- Free payment method. Can we use the form ajax system to make it go away if the subtotal drops to zero and we now have a free payment (again, I’m assuming no)
Unless I’m missing something, this may also be a no go.
Backup Plan: Redirect
If instead of keeping them all on site, how difficult would it be to employ an SIM like redirect for the CIM module? Would it simply be a matter or replicating ucauthorizenetsimdpm?
Again, feedback is appreciated and this issue may simply just close down because there is no elegant solution. But if there is, I’m all ears. Also, if there are other trouble spots, please put them down as well.