6
votes

Does anyone have any experience with card on file services for credit cards, that handle the storage of credit card information for ongoing purchases?

We are looking for a solution that can be integrated with a custom ASP.NET app via a web service or similar but removes the storage of the info from our side of the equation in order to reduce risk and meet PCI compliance issues.

We need a solution that allows for us to do ongoing billing at different varied amounts for a card pass system, not recurring monthly fixed subscription billings.

3

3 Answers

4
votes

I don't mean to sound like a shill, but I would check out Cybersource, which has a storage service like you're suggesting. Cybersource also purchased Authorize.net, which is targeted towards smaller businesses.

1
votes

I'd recommend talking to your bank and asking them for recommendations. Then I'd also call Visa and Mastercard directly to see who's at the top of their lists.

I'd basically require a word of mouth recommendation from someone who is going to be part of that transaction process because they have a financial interest in this. ie: your bank.

Of course, there is still the possibility of problems. Big names like ChoicePoint have even had security problems. Try to make sure it's a publicly traded company. That way you can do a little due diligence in checking out their assets and partners to make sure it works for you.

1
votes

Best thing to do is integrate to a payment gateway that supports 'tokenization'. Basically, when you do the initial transaction, the gateway processes the card and then sends you back a token for that transaction. You can use that token for any subsequent transactions such as repeat sales and refunds of the original charge. I personally have worked with the MerchantWARE gateway which supports these features. There's also a few others out there. These gateways basically act as a vault for the card numbers but since you are just sending the token back and forth, PCI does not apply. Keep in mind that the initial transaction still puts you in scope of PCI since that has the credit card data unless you use a software that offloads that first transaction as well.