Search code examples
paypalpayment-processingpci-compliance

Capturing credit card information for later without transmitting it to the webserver?

I am looking for a solution that will allow us to collect cardholder data for later use without storing data on or transmitting it through our own systems. Our main motivation is to reduce the burden of PCI compliance without compromising the flexibility of our website payment solution.

Solutions we have rejected (possibly incorrectly?):

  • Paypal Vault: We have not found an obvious way to use the API on the client side; it seems like we'd need to transmit the data to our servers first.
  • $1 authorization for future reference transactions -- these are only good for 24 months, and since there is a cost associated with every authorization, we would prefer not to do this. Plus, it seems like an outdated practice now that $0 validation transactions are available.

A little more background on our existing setup:

We currently use Paypal / Payflow as our gateway. At checkout, customers can enter a card and indicate that we should save it for faster checkout later. The card is not run at all until the order is ready to ship (sometimes six months later), though we would like to add a step for a $0 validation transaction. Both features ("save my card on my account" and delayed processing) are important to us.

Solution

  • Well, you're eliminating the answer, unfortunately. Reference transactions are the way to go. It's far from an out-dated practice. The $0 authorization is what you would use to generate the ID to pass into the DoReferenceTransaction API.

    2 years is quite a long time for something like that to work. In many cases the person's credit card will have probably expired and they would need to update anyway, so you just need a system for people to renew their authorization when it becomes necessary. If it's a system that is getting that much use then that process could be built in with just a couple of additional clicks for the user when they sign in to their account with you.

    If it's more of a one time thing where they're submitting an order and you're just processing it later then that should be plenty of time for that. You said yourself that could be 6 months. That's well within 24 months, so I don't see the problem there.

    Keep in mind you can do the same thing with Express Checkout, too, but it's called a Billing Agreement there. In the SetExpressCheckout request you would include billing agreement parameters, and then the billing agreement ID you get back the completed checkout / authorization is what you would use with DoReferenceTransaction.

    That really is the best way to handle it, so again, if you're going to eliminate that option then you're really doing yourself a disservice.