Reputation: 26294
Catch-22 For Authorize.net Customer Profiles: Cannot create profile without adding credit card - violates PCI
Custom Profiles API purports to allow the customer to enter their payment details and save it on Authorize.net without the credit card number hitting our servers to maintain PCI compliance. However, in order to create a customer profile, it requires a credit card number in the first place! I want to access the hosted form, but it requires a customer profile id. To create a customer profile id, I have to create a customer profile. To create a customer profile, it requires a credit card number. The API only uses server-side languages, so that would mean the credit card number is hitting our servers.
I tried to edit the sample request in the API reference and remove <payment>, but when submitted, it gave an error.
I thought I should be able to create a blank customer profile, display the form, allow the user to enter their payment details, save to Authorize.net, then fetch the payment details later during the subscription billing period.
https://developer.authorize.net/api/reference/index.html#customer-profiles-create-customer-profile
<createCustomerProfileRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<merchantAuthentication>
<name>5GwYqmx58k</name>
<transactionKey>xxxxxxxxxxxxxxxxxxxxxxxx</transactionKey>
</merchantAuthentication>
<profile>
<merchantCustomerId>Merchant_Customer_ID</merchantCustomerId>
<description>Profile description here</description>
<email>[email protected]</email>
<paymentProfiles>
<customerType>individual</customerType>
</paymentProfiles>
</profile>
<validationMode>testMode</validationMode>
</createCustomerProfileRequest>
Response: E00029 : Payment information is required.
Documentation: https://developer.authorize.net/api/reference/features/customer_profiles.html
Upvotes: 1
Views: 620
Answers (1)
Reputation: 1069
PCI DSS allows card data to pass through a merchant's server, however the merchant is then responsible to ensure their environment is fully PCI DSS compliant. To reduce your PCI Scope, and avoid having sensitive data pass through your server, you can create customer profiles using Accept.js or Accept Customer.
https://developer.authorize.net/api/reference/features/accept.html
To create a customer profile without payment details, use the following without payment or validation object:
<createCustomerProfileRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<merchantAuthentication>
<name>*</name>
<transactionKey>*</transactionKey>
</merchantAuthentication>
<profile>
<merchantCustomerId>Merchant_Customer_ID</merchantCustomerId>
<email>[email protected]</email>
</profile>
</createCustomerProfileRequest>Upvotes: 2
Related Questions
- Authorize.Net API: Define a default credit card for charging
- Authorize.NET Customer Payment Profiles
- Authorize.net shows E00040 when Creating Subscription from Customer Profile
- Authorize Customer profile creation failed error
- How to create payment profile with the create transaction request on Authorize.net
- Authorize.net, charge credit card request gives error as A duplicate transaction has been submitted
- Authorize.net CIM: Creating customer profile without a billing address
- Authorize.Net CIM trying to create a profile and do a transaction one after the other
- authorize.net Production account accepts test credit card numbers
- Authorize.net issues with American Express