Can I make card present transactions to Authorize.Net via my web service?

Question

I have a (hopefully) basic question on credit card processing, particularly using Authorize.Net. This is my first foray into credit card processing so I have been reading up on it quite a bit.

Let me describe what I am trying to do. I am in the process of building a POS application (WinForms) that receives all it's data from my mvc3 based web service.

I want to include a credit card swipe & receipt printer with this solution. My thinking here is that I have the client app collect all relevant info (cc#, expiration date, name, etc) and call up to my webservice. Once I am in my webservice I would then call out to Authorize.Net, making a card present transaction.

Am I missing anything here? Is it ok to make card present transaction from a web server? Anything to watch out for? Should I be looking at AIM (Advanced Integration Method) instead?

Answer 1

Windows App <=> Your Web Service <=> Authorize.Net

I'm not sure how you connect: Windows App <=> Your Web Service

Your Web Service <=> Authorize.Net is not hard. I have done few projects using Authorize.Net Payment.

1) You need HTTPS for your web service

2) Inside your web service, post to "https://secure.authorize.net/gateway/transact.dll" along with parameters.

3) Once approve, you will get TransactionCode. If fail, you will get error message.

Edited:

WebClient webClient = new WebClient();
NameValueCollection nvc = new NameValueCollection();
nvc.Add("x_login", loginId);
nvc.Add("x_tran_key", transactionKey);      
...                  
Byte[] data = webClient.UploadValues("http://developer.authorize.net/guides/SIM/Appendix_B/Appendix_B_Alphabetized_List_of_API_Fields.htm", nvc);

Guide: Authorize.Net

Answer 2

To answer the "Is it OK" question, You need to check with Authorize.NET to see what their standards are.

To answer the "Is there anything else to watch out for" question...

There is a LOT to watch out for when processing credit cards. You need to comply with PCI standards, which in turn, means that you have to have a very well-defined development process with security inherent at every step of the process, from requirements gathering to coding, testing, release, etc.

I strongly recommend that you enlist professional, experienced help if you're really going to do credit card processing at all. I'm a developer in a retail organization that is subject to PCI compliance. I've been doing it for years and have been through several audits, so I'm pretty familiar with what it takes JUST to be PCI Compliant (which is a MINIMUM level of security you need to shoot for when dealing with cardholder data.)

Even with my experience, I'd be uncomfortable writing the credit card processing portion of a POS system without experienced help. It's one of those things where the more you learn, the more you realize you don't know anything.

If not, then start here: https://www.pcisecuritystandards.org/hardware_software/