Caribou Blog
10 Oct

How does Caribou handle recurring billing and stay 100% PCI compliant?

Published 10-Oct-2009 by Brock Ferguson in Caribou Blog

An introduction to PCI compliance

There are two very important components of PCI compliance.  First, you must pass a series of security regulations to store any type of credit card information (number, expiry, etc.) on your server.  Second, you must never store the user's CVV2 number.  It is used as a password of sorts as further protection for credit card fraud.

Every gateway is different

Recurring billing is handled by every payment gateway differently.  For example, with the E-Xact payment gateway, Caribou creates a recurring seed transaction and stores the ID for this transaction in its database.  Then, when it comes time to renew the subscription, Caribou tells the gateway to make another purchase using this recurring seed and tell Caribou if it was successful or not.

With Authorize.net, Caribou uses their Automatic Recurring Billing (ARB) feature.  After the first payment is processed, the gateway automatically runs the recurring transactions on a schedule that Caribou imposes with the first purchase.  Authorize.net reports both successes and failures in recurring payments to Caribou and Caribou deals with these accordingly.

PayPal has a unique "subscriptions" feature.  Like ARB from Authorize.net, Caribou tells PayPal on what schedule to process the payments and PayPal then notifies Caribou of successful or unsuccessful payments.  With PayPal, Caribou doesn't see the user's credit card information at any point in the process.

NetBilling has another unique system for recurring billing.  Caribou defines the payment schedule and price at the time of signup.  However, unlike other systems, Caribou must query NetBilling at the end of every billing cycle to see if/when a successful payment was made for this subscription.  If a payment wasn't made, Caribou will let the subscription expire.

Secure and easy-to-use

So, while all of these gateways have unique recurring billing systems, they do have one thing in common.  Caribou remains PCI compliant by not storing any credit card information.  Furthermore, Caribou is able to cancel subscriptions when a payment goes unpaid, for whatever reason.  This is the key to integration payment gateways - make the most of each gateway's built-in features to minimize the risk and make accepting online subscription payments easy.

Comments

No comments have been posted yet.
Post a comment
  1. You must be logged in to post a comment.
  2. Must be less than 400 characters. Allowed HTML tags: <a>, <b>, <i>, <u>.
  • Version 2.6.1 Released - Menu Manager Fix
  • Version 2.6 released!
  • New blog at ElectricFunction.com
  • Version 2.4 Released - PayPal Pro now a supported gateway
  • Caribou CMS now a division of Electric Function, Inc.
  • Version 2.3 Released - Control Panel Update!
  • How does Caribou handle recurring billing and stay 100% PCI compliant?
  • Caribou v2.1.3 released - small bug fix
  • Caribou v2.1.2 released with enhanced security, Google Analytics, and more
  • Caribou CMS v2.1 Released - Multiple Active Subscriptions & E-xact Payment Gateway
    • About the Author

    Brock FergusonBrock Ferguson is the lead developer of Caribou CMS. He lives in Vancouver, British Columbia, Canada.