Posted: August 25, 2020 at 11:13 am
We have been using Authorize.net AIM to accept onsite payments through credit/Debit cards
We are now planning to accept offsite payments. We found Authorize.net Accept Addon which offers to embed payment details such as CC number, CVV and expiry date withn an iFrame.
Would like to understand if there are any security issues if we use Authorize.net AIM and also let us know if there are any other options for accepting offsite payments.
Please do help us in understand which is the better eay to accept ayments through Credit/debit cards
Look forward to hearing from you
May I ask what you mean by off-site payments?
The reasons I ask is I think there may be some confusion about what on-site and off-site payment methods are here, so first a quick explanation.
OFF-site payment methods basically send the user ‘off-site’ to make the payment. The classic example of these is PayPal, where you select your items on the site and click a button to pay with PayPal. You (the user) are sent to PayPal servers to make the payment on their servers, PayPal control the checkout process themselves and they then communicate back to your site that a payment has been made and also redirect the user back to your site again.
ON-site payment methods allow you to keep the user on your site to accept payments. Generally, this means that the payment details are captured on your server and then sent over to your payment provider whoc process them and return a ‘success’ or ‘failed’ response for authorizations and capture of funds.
ON-site payment methods give you (the admin) the greatest amount of control and flexibility in that you can customize the look and feel of the payment form if you are comfortable with PHP. However, they also bring the highest liability as your own server has access to the card details during checkout so if your server is compromised then it’s possible for someone to capture those details.
ON-site payment methods require the highest level of PCI compliance and Auth.net AIM request SAQ-D
OFF-site payment methods require the lowest PCI requirement, usually SAQ-A.
In short, for the lowest liability and least amount of effort on your part for remaining compliant, you should be using an OFF-site payment method.
Auth.net Accept can be considered a ‘hybrid’ in that using an iFrame it loads the payment options ON your site, but its actually an OFF-site payment method. Meaning the user ‘stays’ on your site but is actually inputting their card details on Auth.net’s servers.
Thanks in advance
No, you can’t change very much with most off-site payment methods.
You have the EE4 Everything license which means you have access to all our of add-ons, so I recommend installing the Auth.net Accept add-on and checking how it looks on your site.
With Event Espresso you have the Auth.net SIM payment method (deprecated by Auth.net in favour of Accept) or the Auth.net Accept payment method for offsite payments.