While thousands of custom websites with custom checkout procedures process credit cards, relatively few meet PCI compliance standards. Basically, when a credit card number TOUCHES your server, even if you do not store it, your system falls under PCI compliance guidelines which are pretty nasty. The easiest thing to do is never let a credit card number even pass through your server. Many folks use Authorize.NET’s SIM method, but it requires the credit card number passing through your server, setting you up for a likely PCI audit failure. Granted, credit card companies don’t run around auditing small online businesses, but I like doing things right and treating sensitive information with respect.
Authorize.NET DPM seems like a great method. However, I found the documentation at Authorize.NET confusing, and they do not provide an ASP.NET Web Forms example of DPM. So I extracted one from a recent project I worked on. Here are a few key points required to get this to work.
- ASP.NET doesn’t appear to support posting a form to an alternate address, but actually, it does. Check out Button’s PostBackURL property. Using this property will allow your app to submit a form directly to Authorize.NET’s server.
Check out the following downloadable demo.
This has been tested in Visual Studio 2010 / ASP.NET 4.0. Your mileage may vary in other environments. It is written in VB.Net, but should easily convert to C# or your CLR language of choice.
In order for application to compile, please first download Authorize.Net .NET SDKs, click through their EULA, then extract:
And place them in the bin/ directory. Then edit the Web.config and replace the AUTHORIZE_NET variables with values from your developer account at Authorize.net. Lastly, make sure Authorize.NET can reach your relay URL (which should be “http://domain/siteroot/SIM.aspx”). This may require running your application in IIS (NOT the Visual Studio development server) and poking a hole through your firewall for testing. See notes in the code for more details, or check the Authorize.NET documentation.
The demo also has error handling and log4net to log any errors to a log.txt file in the site root.