4 replies [Last post]
jobewan's picture
Joined: 03/27/2013
Juice: 4
Was this information Helpful?

I have been searching the forums for an unequivocal 'yes' or 'no' answer on offsite processing. The content I have read has alot of procedural goodness, but to my understanding anyway . . not a flat can-do or cannot-do answer.

The gateway/processor I would like to use is Authorize.net ("offsite)". Drupal and CiviCRM are the components of the source site ("onsite").

Forgive me if I am being obtuse; hoping for a documented yes/no answer on whether or not ubercart can offload the whole transaction . . payment information collection and all . . to Authorize.net acting as the "offsite" processor. A documented answer.

A bonus would be if it could be known if there is any customization required, or if it is an out-of-the-box feature set.

Thanks to all in advance.

DanZ's picture
Joined: 08/07/2011
Juice: 1730
Re: Straight 'yes' or 'no' on offsite processing

I don't know what CivicCRM is.

Ubercart runs on Drupal, and Ubercart can use Authorize.net to process payments (out of the box). There are other Drupal modules that can also do it.

Authorize.net has a couple of different methods, such as SIM, that collect and process all the payment information via the Authorize.net servers, with no need for your site to touch it. Ubercart can use this. Is that what you want? If so, see the SIM/DPM module for your document. The only customization is installing and configuring that module with your account information.

Authorize.net does have certain limitations. Ubercart's integration with Authorize.net has more limitations. These limitations might or might not affect you, depending on what you're doing..

What, exactly, do you want to accomplish? If you provide more specifics in your question, you can get a more specific answer.

end user's picture
Joined: 01/11/2008
Juice: 1721
Re: Straight 'yes' or 'no' on offsite processing

I believe they are looking for unloading PCI compliance to Auth SIM. I've read tons about hosted payment forms and there's conflicting info on what PCI is needed.

Seriously PCI has become a cash cow and its the CC companies fault for having a shitty system from the get go and they force it onto businesses.

Whats sad is if you're not complaint some processes will just charge you and extra fee for non compliance and a business goes on taking cards like usual.

ap_cpg's picture
Joined: 04/10/2013
Juice: 3
PCI / Off-Site Processing

I am not an Ubercart expert; however, speaking in general terms, no reputable shopping cart or gateway should provide a method for you to easily "dump" (for lack of a better word) such details that contain full credit card numbers, as it would open a merchant up to the risk of suffering a data breach. With that being said, there alternate methods of collecting such information online that are not secure, so you would have to have a customer base that does not protecting themselves seriously. From there, most gateway have a "batch upload" option where locally stored data can be exported to the payment gateway.

To the PCI question, in a nutshell you are compliant if the sensitive payment information never actually passes through your websites server, such as through a hosted shopping cart solution. If you are not using a hosted shopping cart, then data must be encrypted so that such details cannot be viewed and an SSL certificate is required, with a redirect to a secure payment page being strongly recommended.

I am a Merchant Services Provider, and for what it's worth we also do not like PCI fees. There actually are a handful or providers that do not assess PCI fees to merchants, but rather they assess fees to their sales partners, so there are still ways to work around these fees. The main thing is to keep up with your compliance annually so you don't get dinged for the Non-Compliance fees.

DanZ's picture
Joined: 08/07/2011
Juice: 1730
ap_cpg wrote: To the PCI
ap_cpg wrote:

To the PCI question, in a nutshell you are compliant if the sensitive payment information never actually passes through your websites server, such as through a hosted shopping cart solution

This is not actually true at this time. There are still requirements that must be met, even if the data does not pass through your server.

However, if you can ensure that payment card information never touches your server, it enormously lowers the requirements toward getting PCI compliance. The PCI compliance requirements for when data does touch your servers are too formidable for small businesses to meet. This is true even if you use a cart like Ubercart that does not store credit card numbers.