Authorize.Net Directpost is Overly Complex

One of the necessary evils that every ecommerce website that wants to accept credit card transactions must deal with is some sort of payment processing company. It just so happens that Authorize.net is one of the largest payment processors around, and they allow you to choose from a few different ways to integrate their payment processing functionality into your website. One of their ways is via DirectPost, which allows an eCommerce website to process a credit card transaction without the credit card information ever being sent through the website’s servers.

While the ability to ensure that no credit card information passes through your website is useful for PCI compliance and the ability to lower the potential losses in the event of a hack like the ones that have affected Sony, Home Depot, and Target among others. The implementation of this payment method is less than ideal, especially if you are utilizing Magento as your eCommerce platform. With Magento, the credit card information is entered into a form that is contained in an iFrame that originates on Authorize.net’s servers. Once the order is ready to be submitted, JavaScript triggers the form submission to a completely separate domain with a target on the form of a reloaded iFrame.

When the response from Authorize.net returns, an error may be displayed for credit card verification issues as well as many other reasons. Unfortunately, due to the nature of this iFrame’s content originating in another domain, any attempt via JavaScript to try to inspect what the content is or modify it is blocked by the browser as a part of the browser’s cross site scripting, or XSS, protections. As a result, the only way that you know that something is loaded in the iFrame is that you are able to successfully listen for the onLoad event for the iFrame and respond to it accordingly.

Many times the response that is rendered in the iFrame contains a redirection URL that redirects the browser to the checkout success page. Other responses will display a standard error message. However, this all relies upon Authorize.Net to be able to successfully validate and authorize the credit card payment information. If there is an error which would typically throw an HTTP 50X error and that message is returned to the user’s browser, there is no way of knowing what was returned to the iFrame since the JavaScript in the browser is unable to access it.

Although the DirectPost functionality provided by Authorize.Net holds great promise, there have been reports on Stack Exchange and elsewhere that users regularly have issues with DirectPost, and many developers that have attempted to implement it on their sites have tried and failed, instead turning back to much simpler Credit Card Processing processes.

Tags:

Related Posts

Sep 3, 2014
3 minutes

5 Ways to Keep Your Nude Pictures Secure

With the recent revelation that there was a massive release of naked or revealing photographs of many female celebrities, it seems to be an important time to remind people how to make sure private photos and other information don’t get shared all around the internet without your permission. As a result, here are my top 5 ways to keep your nude pictures secure.

  1. Don’t Take Nude Selfies - Yes, the best and easiest way to keep your naked selfies out of the sight for the public viewers on the internet is to never take a naked selfie in the first place. Just don’t do it.

    #rant #security
    Read More
Apr 18, 2014
2 minutes

Magento Adminhtml and Relative Links to Static Resources

Relative links in URLs allow you to only specify the path to an resource that is in the same or subfolder of the current folder. Lets say the current page you are on is http://example.com/test/ and you want to reference an image at http://example.com/test/image.jpg. You could put the full http://example.com/test/image.jpg in the src attribute of the img tag, or you could use just image.jpg instead. This works well when you are not sure what the directory path is the parent directory of your code. However, it can cause some issues when your code is moved to another location, but some resources are not moved, such as image.jpg.

#magento #html
Read More
Aug 21, 2014
4 minutes

Google Chrome Makes Web Developers Lazy

This post may make me sound ancient in the world of web development, but here it comes anyway.

Like Microsoft, Google has decided to implement functionality in their dominant browser that is incompatible with the other major competing browsers.

When I first started developing websites professionally, ensuring a website worked for 99% of the site’s visitors was easy, relatively, as you only needed to make sure the site worked in Internet Explorer 6. Obviously, there were a ton of random hacks and tricks required to deal with the quirks of this browser, but you were fairly safe knowing you had developed your site to be tailored to the browser of choice for your visitors. However, the dominance of Internet Explorer 6 was bound to come to an end and it ushered in an era of multiple popular browsers including Firefox and Chrome. With no single browser having a massive advantage in terms of users in all areas, web developers had to make sure that thorough testing of their sites was completed in each of the major browsers.

#jquery #javascript #rant
Read More