[thelist] how secure to store credit cards

Keith cache at dowebs.com
Tue Jan 8 22:55:10 CST 2002 

Hi Erik

> What I was looking for is exactly authorizenet.com "ADC direct 
> response" method of interacting with their service ... The webserver
> acts as a client to to their servers, which carry out the transaction
> and return a response code.

I was unaware that authorizenet is using server-to-server back-
channel communication for the authorization cycle. That's an 
excellent idea because, as you want, it is seamless for the 
consumer. 

These kinds of server-to-server communications are a lot more 
common than you'd think. ServerA can receive a query from the 
browser, pass it off in the back-channel to serverB, which does the 
database work and returns the response to serverA which then 
uses that response in it's response to the browser. To the browser 
it appears that everything happened on serverA but in reality 2000 
different serverAs can be using the same common database on 
serverB. Great for inventory control shopping carts selling common 
and limited quantity stock on multiple websites.  I've even set it up 
as a server side include where the included response comes from 
another server. 

My guess is that authorizenet will have all you need for handling this 
with CF. It's really easy to do with perl. It takes only a few lines of 
code to create a browser-on-the-fly that then communicates, as a 
browser/client, with the other server. In perl it's called an 
LWPUserAgent. The server it talks to has no idea it is talking to a 
cgi script, it thinks it has a browser.  I've never tried emulating the 
browser's half of an SSL session with LWP but I assume it's doable.

As far as SSL goes, the client you create will have to use 
authorizenet's SSL cert, you're still in a client-server relationship.  
You of course will still need to have a cert for your server so you can 
encrypt between the consumer's browser and your server. But like I 
said, I'll bet authorizenet has a CF client template ready to use 
since they would have far more CF users than perl users. If they 
don't have a client template holler, that would be a nice little niche 
market to fill if they've left it open.

This is a gem of a find Erik. Please let us all know how it goes, how 
much of the work authorizenet has aleady done for you, how easy or 
hard it is to set up, etc. I think it would make a good evolt article, 
you're not the only one crossing that creek, and it looks like you 
found a bridge.

keith

More information about the thelist mailing list