Leaderboard

It's been over 10 years since I messed with Authorize.net API. I first used it to allow people to make single secure payments from a web page of mine to a bank account. That's it. Back then, they didn't have all of this fancy new stuff. Therefore, i really don't have any valuable comparisons to give. Also, I do not consider myself to be anything close to an expert (or even intermediate) level of creating secure systems. I ran a mail server about 6 years ago and that was a total nightmare. Literally, as soon as the server went live, it was plagued with bots and whatever else that started using my SMTP server as an open relay and my IP became blacklisted pretty quickly for spam. I google ad nauseum for how to secure this and how to secure that and what the best practices were, but I was in way over my head with absolutely no budget for anything to help me out. After 4 years of trying to maintain a mail server that successfully sent and received mail with no issues (though, there were still issues), I finally was able to convince my boss to switch to a Google Business account and let them handle all of that guff. Mail servers are an absolute nightmare that I wouldn't wish upon my worst enemy. I mean, installing SSL certificates is easier than maintaining a mail server. Anyway, this topic has nothing to do with mail servers. You know, I've never tried to even perform a breach in my life. I've never even tried to breach myself. It's an exhausting realm of web development that I avoid like the plague. Really, what is secure? Unless you're a Fortune 1000 company or something, I doubt you're going to have a hoard of people trying to hack your site; don't flatter yourself. I was a web developer and ran probably the least secure site, in my opinion, but the audience for that site was so minuscule compared to that of large corporations. It's about the same concept as viruses. Most people running a *nix system do not really need to worry about viruses because *nix systems do not take up much of the market share for personal computers. However, Windows is always being probed and poked and molested because it has a gigantic user-base. In any case, Authorize.net seems to have improved pretty much everything they had when I messed with it over a decade ago. Most, if not everything, of what I utilized is gone or deprecated. I mean, I would trust it. At the end of the day, though, the most secure you'll ever be able to make your system is if you cut it off from the net. If it's not on the internet, you really have nothing to worry about. If you're not connected to the internet, you're not going to get any viruses anytime soon. I know that's not an answer, but it's a hard truth to accept. Online banking is really awesome in my opinion, but I know that at any particular time, something could go awry and cause my life hell.

If you are using Authorize.net, then you can setup Customer Payment Profiles, using their API. You can then store (or relegate) the customer payment profile id to your users table in your database. Then, you don't have to worry about storing credit cards info anywhere. https://developer.authorize.net/api/reference/index.html#customer-profiles-get-customer-payment-profile Maintaining reconciliation with Authorize.net customer profiles and your own database/table of users can allow you to do what you're attempting to do. Using the API, you can send a request for the current users list of payment profiles. If there are more than two profiles, then you can write in whatever logic you want in your PHP script, for instance, aborting the chance of a transaction from the user, showing them an error message. Everything you need and more is available in their API.