I'm having a lot of trouble finding a way to charge my customers different amounts each month without storing their credit card numbers. I'm going to try my request a little different from the last thread to see if it catches anyone's attention:

Are there any payment gateways that support some type of "charge by reference #", where their API returns a reference/transaction number after I make an initial charge, and I can use that number to charge the same card again in the future without sending the whole number?

Sorry if its been asked before why don't you want to store the CC numbers or is it just a matter of piece of mind?

Sorry if its been asked before why don't you want to store the CC numbers or is it just a matter of piece of mind?

Because the potential liability should the server be compromised would be more than the value of my business. More than the value of most businesses on WHT probably.

Just to give you an idea, if you have a single VISA card number stolen, and VISA doesn't find a processor (all the way down the chain) to be compliant with their standards when it happened, the fine is $500,000.

I am not 100% certain, but I believe that you can do this with authorize.net. I know that you can setup/manage recurring charges with them using the API.

I have also worked with recurring charges using PayPal as the merchant.

Both of these solutions would help in limiting the need to store credit card numbers locally.

Hope this helps!

I am not 100% certain, but I believe that you can do this with authorize.net. I know that you can setup/manage recurring charges with them using the API.

I know they have no API for their recurring billing feature. It's all manual and charges the same amount each month.

I don't think they have a way to charge by reference number, do they?

I don't think they have a way to charge by reference number, do they?

Well, they kinda do. I can capture using only an auth code, but according to the help guide, an authorization expires after 30 days. So I can't keep using it for however many years this person is my customer.

I'm really stumped. Does every site on the web that wants to charge customers variable amounts monthly have to have the millions of dollars of potential fines looming over them as they store the credit card numbers on their own servers?

Well, they kinda do. I can capture using only an auth code, but according to the help guide, an authorization expires after 30 days. So I can't keep using it for however many years this person is my customer.

I'm really stumped. Does every site on the web that wants to charge customers variable amounts monthly have to have the millions of dollars of potential fines looming over them as they store the credit card numbers on their own servers?

That is our understanding of the new PCI rules from last year. We do not recommend storing any PII or CC #'s for your customers for any amount of time (encrypted or not.)


Are there any payment gateways that support some type of "charge by reference #", where their API returns a reference/transaction number after I make an initial charge, and I can use that number to charge the same card again in the future without sending the whole number?

Yes there are. With a transaction ID, there is a very simple way for merchants to securely charge cards and not incur the liability of storing the cards. I believe that most merchants in the next year/2 will be almost forced by Visa/MC to not store cards or not be allowed to process through them directly.

I am not 100%, but I think that Verisign's PayFlowPro offers some type of Reference Number/Transaction ID along the lines of what you are looking for.

Yes there are. With a transaction ID, there is a very simple way for merchants to securely charge cards and not incur the liability of storing the cards.

Do you know of any gateways offered now that have this? I can think of two that might do it, and both cost around $300 to start and $60+ per month. Compared to Authnet at $15/mo and no setup, it's quite a hefty fee.

Verisign might do it via payflow pro. They do recurring, and the API is supposed to be very full featured. They are more than Auth.

I've seen a lot fo this done via shrink wrap software packages. There are several packages out there that are supposed to be secure and encrypt credit card data internally.

For me, I keep retained customer billing information on a secured network at the business office. Not on the web server at the co-lo. Billing information is pushed off the web server via a heavily restricted encrypted connection.

As far as the liability, I guess it depends on the resources at hand. If you're using a off the shelf CC billing program, have a comercial firewall product, and are making security update on a regular basis, you're following due diligence, and your risk is fairly low.

To be on the safe side I have carry the standard $1M business liability policy.