6

Does anyone have any experience with card on file services for credit cards, that handle the storage of credit card information for ongoing purchases?

We are looking for a solution that can be integrated with a custom ASP.NET app via a web service or similar but removes the storage of the info from our side of the equation in order to reduce risk and meet PCI compliance issues.

We need a solution that allows for us to do ongoing billing at different varied amounts for a card pass system, not recurring monthly fixed subscription billings.

Cheekysoft
  • 35,194
  • 20
  • 73
  • 86
schooner
  • 3,047
  • 8
  • 30
  • 39

3 Answers3

4

I don't mean to sound like a shill, but I would check out Cybersource, which has a storage service like you're suggesting. Cybersource also purchased Authorize.net, which is targeted towards smaller businesses.

Matthew Groves
  • 25,181
  • 9
  • 71
  • 121
  • 1
    We currently use Authorize.net and the CMI service they provide might actually meet the end client needs, thanks for the tip, it wasn't obvious on the main Authorize.net site that they even offered this service when we look previously. – schooner Jul 08 '09 at 14:36
  • Keep in mind that Authorize.net charges additional for using their gateway and the CIM services is another charge on top of that. I would partner with someone that has their own gateway since they will typically give you access to the gateway for free in exchange for the customer's credit card processing account. Some if them will even give referral fees to you for sending the business their way. – markiyanm Jun 01 '11 at 14:13
1

I'd recommend talking to your bank and asking them for recommendations. Then I'd also call Visa and Mastercard directly to see who's at the top of their lists.

I'd basically require a word of mouth recommendation from someone who is going to be part of that transaction process because they have a financial interest in this. ie: your bank.

Of course, there is still the possibility of problems. Big names like ChoicePoint have even had security problems. Try to make sure it's a publicly traded company. That way you can do a little due diligence in checking out their assets and partners to make sure it works for you.

NotMe
  • 87,343
  • 27
  • 171
  • 245
  • We do plan to talk to the current processor and banks as well, was just looking for recommendations from a developer point of view as well to add to the list. – schooner Jul 08 '09 at 14:31
  • Pretty good answer, I've never thought of this approach before – Allen Rice Jul 08 '09 at 14:36
1

Best thing to do is integrate to a payment gateway that supports 'tokenization'. Basically, when you do the initial transaction, the gateway processes the card and then sends you back a token for that transaction. You can use that token for any subsequent transactions such as repeat sales and refunds of the original charge. I personally have worked with the MerchantWARE gateway which supports these features. There's also a few others out there. These gateways basically act as a vault for the card numbers but since you are just sending the token back and forth, PCI does not apply. Keep in mind that the initial transaction still puts you in scope of PCI since that has the credit card data unless you use a software that offloads that first transaction as well.

markiyanm
  • 348
  • 1
  • 5
  • 18