In lieu of saving credit card information locally for recurring payments I was thinking I could request an authorization from a payment gateway for a certain amount and then capture that amount multiple times, every month or so.
One Payment Gateway's documentation says "Captures can be submitted for an amount equal to or less than the original authorization". That's a little bit of a problem since these recurring payments would be variable (ie. you're billed based on how many API requests you make, which could be more or less than last month). Another payment gateway's documentation says you can only capture when "the original Authorization Only transaction was submitted within the previous 30 days", which makes me think that a second capture done sixty days out (vs the thirty days out of the first capture) wouldn't work.
From what I've read a lot of places do recurring payments by saving the credit card number (encrypted) but not the CVV and then recurring charges they do a new authorize and capture transaction each month. Problem with this, as I understand it, though, is that saving the CC #, even if encrypted, requires full PCI DSS compliance, which administratively, seems to be a huge hassle, with requirements like "Verify access to all audit trails is logged" and "Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media".
authorize.net has a CIM API that seems like it'd fit the bill but I dunno... my employer doesn't want to work with authorize.net so I guess that's off the table.
Any ideas?
You won't be able to do this - there are enough gateways that support recurring payments that you should process the transaction as a recurring transaction rather than trying to do multiple captures from a single auth.
When you have your gateway do the recurring transaction, they store the credit card transaction, you don't. Too bad about a.net, they do a great job on just this sort of transaction.
You may want to look at stripe.com