multiple captures on a single credit card authorization

StackOverflow https://stackoverflow.com/questions/13312774

Question

In lieu of saving credit card information locally for recurring payments I was thinking I could request an authorization from a payment gateway for a certain amount and then capture that amount multiple times, every month or so.

One Payment Gateway's documentation says "Captures can be submitted for an amount equal to or less than the original authorization". That's a little bit of a problem since these recurring payments would be variable (ie. you're billed based on how many API requests you make, which could be more or less than last month). Another payment gateway's documentation says you can only capture when "the original Authorization Only transaction was submitted within the previous 30 days", which makes me think that a second capture done sixty days out (vs the thirty days out of the first capture) wouldn't work.

From what I've read a lot of places do recurring payments by saving the credit card number (encrypted) but not the CVV and then recurring charges they do a new authorize and capture transaction each month. Problem with this, as I understand it, though, is that saving the CC #, even if encrypted, requires full PCI DSS compliance, which administratively, seems to be a huge hassle, with requirements like "Verify access to all audit trails is logged" and "Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media".

authorize.net has a CIM API that seems like it'd fit the bill but I dunno... my employer doesn't want to work with authorize.net so I guess that's off the table.

Any ideas?

Was it helpful?

Solution

You won't be able to do this - there are enough gateways that support recurring payments that you should process the transaction as a recurring transaction rather than trying to do multiple captures from a single auth.

When you have your gateway do the recurring transaction, they store the credit card transaction, you don't. Too bad about a.net, they do a great job on just this sort of transaction.

You may want to look at stripe.com

OTHER TIPS

You definitely can't capture multiple payments from one authorization. Only one payment (capture) can occur per prior authorization. Once an amount is captured the authorization is no longer valid.

What you're looking for is called recurring billing. How it works is you create a subscription with a fixed amount, fixed schedule (monthly, annual, etc), and duration. When you create the subscription you provide the payment information (i.e. credit card details) and they store it on their servers which takes most of the PCI compliance out of your hands (accepting the credit card information on your site does come with some PCI responsibilities). Basically they charge the customer each month for you automatically.

If the amount of each payment or schedule for each payment will vary then a service like Authorize.Net's CIM is handy because they let you store the customer's credit card information on their servers by creating a payment profile for that customer. You then can charge against it simply by telling Authnet to charge that payment profile. Your PCI responsibilities are the same as with recurring billing.

If you're really trying to avoid PCI compliance Authorize.Net offers a hosted version of CIM which allows you to avoid having to handle the credit card information at all.

If your employer doesn't want to work with Authorize.Net you'll have to try to find someone who offers similar services. They're out there although i can't say they offer as much as Authnet does plus Authnet's APIs are the easiest to work with by far. But at least now you know how this works. Good luck.

Multiple partial captures for a single authorization are supported by some payment processors but not all. This document from Cybersource (starting on page 53), describes which payment processors do and do not support it. A summary is below (based on the Cybersource document):

​Payment processors supporting multiple partial captures:

  • ​AIBMS
  • ​Asia, Middle East, and Africa Gateway
  • ​Barclays
  • ​CCS (CAFIS)
  • ​Chase Paymentech Solutions
  • ​FDC Compass
  • ​GPN
  • ​HSBC
  • ​JCN Gateway
  • ​Litle
  • ​OmniPay Direct
  • ​OmniPay-Ireland
  • ​TSYS Acquiring Solutions

​Payment processors NOT supporting multiple partial captures:

  • American Express Direct
  • ​Atos
  • ​Cielo
  • ​Comerico Latino
  • ​Cybersource Latin American Processing
  • ​Cybersource through VisaNet
  • ​FDC Germany
  • ​FDC Nashville Global
  • ​FDMS Nashville
  • ​FDMS South
  • ​Global Collect
  • ​HBoS
  • ​Lloyds-OmniPay
  • ​LloydsTSD Cardnet
  • ​Moneris
  • ​Streamline
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top