[thelist] how secure to store credit cards
Keith
cache at dowebs.com
Tue Jan 8 22:55:10 CST 2002
Hi Erik
> What I was looking for is exactly authorizenet.com "ADC direct
> response" method of interacting with their service ... The webserver
> acts as a client to to their servers, which carry out the transaction
> and return a response code.
I was unaware that authorizenet is using server-to-server back-
channel communication for the authorization cycle. That's an
excellent idea because, as you want, it is seamless for the
consumer.
These kinds of server-to-server communications are a lot more
common than you'd think. ServerA can receive a query from the
browser, pass it off in the back-channel to serverB, which does the
database work and returns the response to serverA which then
uses that response in it's response to the browser. To the browser
it appears that everything happened on serverA but in reality 2000
different serverAs can be using the same common database on
serverB. Great for inventory control shopping carts selling common
and limited quantity stock on multiple websites. I've even set it up
as a server side include where the included response comes from
another server.
My guess is that authorizenet will have all you need for handling this
with CF. It's really easy to do with perl. It takes only a few lines of
code to create a browser-on-the-fly that then communicates, as a
browser/client, with the other server. In perl it's called an
LWPUserAgent. The server it talks to has no idea it is talking to a
cgi script, it thinks it has a browser. I've never tried emulating the
browser's half of an SSL session with LWP but I assume it's doable.
As far as SSL goes, the client you create will have to use
authorizenet's SSL cert, you're still in a client-server relationship.
You of course will still need to have a cert for your server so you can
encrypt between the consumer's browser and your server. But like I
said, I'll bet authorizenet has a CF client template ready to use
since they would have far more CF users than perl users. If they
don't have a client template holler, that would be a nice little niche
market to fill if they've left it open.
This is a gem of a find Erik. Please let us all know how it goes, how
much of the work authorizenet has aleady done for you, how easy or
hard it is to set up, etc. I think it would make a good evolt article,
you're not the only one crossing that creek, and it looks like you
found a bridge.
keith
More information about the thelist
mailing list