One of our clients is switching from an in-house, home-grown ERP to NetSuite. Although their home-grown ERP supports Authorize.Net, NetSuite does not. They are therefore looking for an alternative solution for credit card processing. The alternative must work both NetSuite and the e-commerce software (a.k.a. “the system”) that Finite Wisdom has developed for them.
This is a review of potential replacement payment processors for Authorize.Net from a development perspective. It is in consideration of a change to a payment processor with a built-in integration to the NetSuite ERP. This review takes the approach of comparing the way these payment processors could work as compared to the way the current integration with Authorize.Net works.
The alternatives under consideration are:
Current Authorize.Net Integration
The current integration uses a tokenized payment system whereby only the payment processor handles sensitive payment information. It provides the system with tokens to synchronize with the payment processor and redacted versions of sensitive data that it can display.
Authorize.Net provides the following integration points that the system uses:
Customer profile API
This stores sensitive customer payment data. It provides the system with tokens to represent the sensitive data and sanitized versions of the data for display (e.g., credit card with only last four digits shown).
Hosted HTML forms to add and update payment profile data. We use:
Add, update payment methods
Add, update billing addresses
Provides the mechanisms to authorize and capture payments and receive associated responses, using tokens
Note that the hosted forms provide an interesting tradeoff:
We don’t have to handle sensitive data at all
For example, credit card numbers are entered into their pages which store the information back to their servers
However, the hosted pages provide a UI that is not under our control
This is mitigated by using a clean, simple page they provide which we popup over the store page to make it feel like part of the system
CyberSource provides various APIs. It looks like we would primarily use their Simple Order API. This API:
Includes a customer profile API with tokenized payment capability. This appears similar in capability and complexity to what Authorize.Net provides: CyberSource stores customer payment profiles, including sensitive payment information, on their servers. The system would query their system for redacted payment information and tokens to complete transactions.
However, it does not appear to provide hosted HTML forms to update and add payment information. This means we’d have to provide those ourselves. We would not have to handle or store sensitive payment information on the server. However, it means we would have to handle it transiently on a web page. For example, we would provide an HTML form into which the user could enter their payment information, but we would post it to CyberSource’s service using their presumably secure API rather than to our server.
CyberSource also provides a simpler API called Secure Acceptance Web / Mobile. This provides a hosted checkout.
This API would let us avoid dealing with sensitive payment at all, but it takes control of at least a portion of the checkout process to do this. It is customizable in both how it looks and functions to some degree. For example, if the system wants to provide some customer information gathered through its own UI, it accepts that and then doesn’t prompt the user for that information. There is also some level of look and feel customizations available. However, it is likely that using it will require making some degree of compromise in the flexibility that the system currently offers. (To be fair: the hosted forms that Authorize.Net provides for adding and updating sensitive payment information is a trade-off between simplicity and customizability as well. This is just a trade-off in a different place.)
Also, it is not entirely clear whether this integrates with the customer profile API. I would assume so, but if it doesn’t that means a user would have to enter their sensitive payment information each time they checked out.
There are other APIs, but they either don’t appear directly relevant to an integration with the system or don’t offer advantages over the two APIs I listed.
This looks like a more significant integration. As far as I can tell, they do not offer a customer profile API like Authortize.Net and CyberSource that would store a customer’s sensitive payment information. I’ve reviewed all the the API information available on their site and searched through the rest of their site as well.
They do offer:
A payment tokenization API
This means we would not have to store or process sensitive information on our servers. Instead we would collect the payment information in a browser form, send it to MeS, receive a token in response, and then the token would be used for further processing. However, since the payment information is not stored in a customer profile, a user would have to enter their payment information every time rather than be able to select from a list of stored payment methods. This would be mitigated in the case where the user has their browser manage their payment methods, which modern browsers do.
A hosted checkout
This offers the usual trade off between simplicity and customizability. As with CyberSource’s hosted checkout option, there is some customizability, but it’s likely that using it will entail some compromises.
Solupay is offering the “Payeezy” API and related payment manager software. This API provides a hosted checkout, where the page that accepts payment details like credit card info and on which the user confirms the order is hosted by Payeezy. This is simple and secure and allows the system to avoid handling payment details. The API also offers a very limited customer profile API which would allow a customer’s payment information to be stored and reused for subsequent orders.
However, it has the following tradeoff for the system: the hosted payment page cannot be fully customized. It can be styled with a customized color scheme and logo, but that’s all.
Unsurprisingly, none of these provides a simple drop-in replacement for Authorize.Net.
To me, CyberSource is the closest to what already exists. The tokenized customer profile API that is part of their Simple Order API will allow the system’s end users to store payment information for later reuse and allows the system to avoid storing or processing sensitive payment information.
On the downside, CyberSource does not support a hosted checkout, which appears to be a hard requirement. To use CyberSource, I believe we would most likely need to implement forms to replace the hosted forms that Authorize.Net provides to add and update payment methods and billing addresses. These are security sensitive pages. The current security best-practices for such pages are well-known and documented so this isn’t that hard. But it does create a maintenance burden because these best-practices are evolving fairly quickly. That is, it’s likely that such pages will need to be updated -- either in code or configuration -- to maintain security as new vulnerabilities emerge.
Merchant e-Solutions has nice developer documentation and a straightforward API. However it did not appear to me to support storing customer payment information. This means an end user would need to enter payment information on each checkout which could be an issue for stores where users are expected to return and order multiple times. The fact that modern browsers can manage, store and auto-fill a user’s payment information mitigates this issue to a degree.
Lastly, Solupay’s Payeezy API offers a hosted checkout option which is on par with the hosted checkout option the other payment processors provide. In addition, it does offer a tokenized payment API, allowing the system to handle the payments page without handling sensitive payment information. It also provides a very limited (but probably sufficient for our needs) customer profile API, allowing a customer’s payment information to be stored securely and reused in subsequent orders without reentry.
All that said, I recommend replacing Authorize.Net with Solupay’s Payeezy API.