I had sent this question to a Parallels sales engineer and they confirmed this does not exist currently in Plesk billing. Does this exist anywhere out there?

Let me know who else thinks recurring billing in hosting billing solutions like Plesk/WHMCS etc needs an overhaul.....


Regarding Plesk billing, I’ve noticed some possible security issues / PCI compliance problems. The problem I see with Plesk billing is that it stores sensitive credit card on the physical server which I see can be a security issue. Traditionally, the way we currently manage our recurring billing is via Payflow Pro Recurring billing subscriptions/API which is similar to Authorize.net’s ARB system (automated recurring billing) which has an API. We submit to the gateway credit card information and it becomes a " subscription profile " where credit card and sensitive customer credit card/ billing information is stored with the gateway (Payflow Pro or Authorize.net ) themselves with set recurring billing paramaters (eg bill monthly on this date) . The information is then accessed via a stored Profile ID which the API requires to identify and make changes to a profile/recurring subscription. This reduces our liability and makes it so that our staff or any unauthorized user does not have access to sensitive credit card information.

According to what I see in the documentation and demos, Plesk billing doesn’t support recurring billing with these popular payment gateways. This somewhat worries me in that if someone hacked in to the server and we had 1000 credit card numbers from 1000 customers that they were able to access, this could be a major security breach. I’m somewhat shocked that "gateway-side" (not "server-side") recurring billing isn’t integrated with Plesk billing with all the people that use Modern Bill / Plesk billing.

But maybe I’m wrong and the encryption used to store credit card numbers is sufficient? Is Plesk billing PCI compliant and safe to use for recurring billing purposes? Have there been any issues? I really want to use the Plesk billing /panel/builder for the most automation but I want to make sure our customer credit card information is secure as well as if possible compliant?

Let me know!

Hello,

Yes, this is somewhat a problem when it comes to liability. We were considering PCI certification when we put up a credit card only hosting business a year and a half ago. However, due to the extensive costs related to the initial and ongoing certification we had the choice of doing business without it (giving a security statement only, which at the time was allowed by the CC companies, although not recommended), or looking into partnering with gateways that provide the features you are referring to.

Our choice was the latter, and the way we solved it was to create a custom gateway module for the software we used (WHMCS) - in fact, we had the creator of WHMCS (Matt) do most of it as a custom development job, and then we did some final touches. It all proved to be rather uncomplicated. Today we don´t store any credit card numbers at all, they´re all stored at the gateway.

The downside of this, obviously, is that if you sometime have to change gateway provider, you´re gonna loose the cards already stored. But compare that to the cost of actually being PCI compliant, and to smaller hosts I believe that´s worth it.

Yea right now I'm trying to get Plesk billing (formerly Modern bill) the way we need it to work for a new company offering.. but I think I'm going to just use our old custom ordering system that is integrated with payflow pro... I think the benefits of using authorize.net or payflow pro recurring profiles via API are many...

1. No liability.. obviously you dont have to store the card which means as long as you submit the transactions via SSL you arent required to be PCI compliant (at least from what I know)..

2. Automation and Less Headaches... - Cron jobs sometimes goof... one bug in the cron script for daily billing/credit card captures can cause major problems.... I would say every other host I've used in the past has had some kind of billing problem related to their software either not working right or accidentally charging their customers multiple times.. With having it on the gateway side you dont have to worry about your server goofing with cron.. Once the profile is set you can sit back relax and know your customers will get charged on the day they signed up each month...

3. No need to store anything - using the API's you can have a soft copy of customer billing info in your database... but all the billing information is stored with the gateway in its own schema so you just have to make your billing software access/update it

4. No Invoicing - I think invoices are annoying and I dont the model of send an invoice send a receipt for every recurring transaction... once you signup for something it should be a onetime receipt/invoice and maybe send a receipt everytime a re-charge is conducted. Many recurring services (such as GotoMeeting etc) I subscribe too just send a receipt which is perfect and all thats necessary not the extra paid unpaid invoices... eg.. Send "Invoice Due #1234" ... "Credit Card Receipt for Invoice #1234) .. If we got rid of all the monthly/daily "Invoice and Receipt" emails from hosting companies and recurring providers we could probably save tons of CO 2 :) :stickout:

Anyways, I hope the makers of the hosting billing softwares see my point here and create a solution...