Evergreen

Authorize.net payments uses deprecated API

Bug #1939061 reported by Jane Sandberg on 2021-08-05

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	New	Undecided	Unassigned

Bug Description

The authorize.net integration for credit cards uses Business::OnlinePayment::AuthorizeNet, which uses AuthorizeNet's AIM API, which is deprecated. It doesn't look like B::OP::AuthorizeNet has been updated since 2015, so I'm not too hopeful that they will be able to rewrite it for the new version.

Jason Boyer pointed out that the Stripe integration is all client-side now. It seems like AuthorizeNet encourages something similar: client-side javascript that uses their "Accept.js" library, which is hosted on AuthorizeNet servers: https://developer.authorize.net/api/reference/features/acceptjs.html#Integrating_the_JavaScript_Library_into_Your_Page

Tags:

Revision history for this message

Jason Boyer (jboyer) wrote on 2021-08-05:

My late-night jest on IRC wasn't 100% correct. Looking now there is a perl module involved in talking to Stripe but rather than handling CC numbers it only deals in tokens and such. Business::Stripe does receive updates though and makes it easy to change the version of Stripe's API used.

That said, if Auth.net can function in a similar way that would be great! Not having CC numbers touch the server's network makes PCI compliance easier and also should make everyone feel better all around.

Revision history for this message

Jane Sandberg (sandbergja) wrote on 2021-08-27:

For anybody who takes this ticket, our campus business office recommends that Evergreen be able to authorize transactions (current behavior) and subsequently capture them (which would be new behavior). This would save them from manually capturing each transaction.

It looks like that is possible through the API: https://developer.authorize.net/api/reference/index.html#payment-transactions-capture-a-previously-authorized-amount

I wonder if this should be configurable behavior, if some sites prefer a manual process for capturing those transactions.

Revision history for this message

Jane Sandberg (sandbergja) wrote on 2021-09-07:

Maybe scratch my previous comment. The transactions reaching our college business office all have the transaction type "Authorization w/auto capture". So maybe the issue was on AuthorizeNet's side: Evergreen told it to auto capture and it failed to do so.

Terran McCanna (tmccanna) on 2021-10-15

tags:	added: circ-billing opac removed: billing
tags:	added: opac-account

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.