BECOME AN EGGHEAD. SUBSCRIBE TO OUR RSS FEED OR FOLLOW US ON TWITTER! Learn to be as nerdy as we are by never missing our latest blog entries. Receive great tips, tricks, and ideas on improving your web site every day! Subscribe via our RSS Feed, follow us, or use the chicklets in the sidebar for more options.

X

Authorize.NET dropped the ball again on July 3, 2009. Authorize.NET was down from approximately 03:15 EST, and they're still not 100% up @ 15:51 EST. That's pretty much 12 hours.

12 hours of downtime when you're dealing with money is really awful, and I won't even go into the details re: that.

Here's the thing. Regardless of your eCommerce package, in the case that Authorize.NET returns no pulse, you can at least retrofit your web application — and send yourself an email with customer information. You can also store the credit card information encrypted (carefully) elsewhere. Granted, it's not ideal to store credit card numbers ever, but this would only be in times of system failure. So here's the list:

1. Send All Failed Transactions to Your Email Account

If all else fails — and Authorize.NET returns nothing — you'll have customer information, cart contents, etc., and you'll be able to recover many transactions simply by calling the customer. Do not send credit card numbers via email — ever.

2. If Possible, Store the Order in an "ORDER_FAILED" State

Our eCommerce platform does this, and it (optionally) stores credit card numbers in an encrypted state until such time as the order is CANCELLED. We automatically move orders from a ORDER_FAILED state to CANCELLED after 72 hours and user confirmation to minimize danger.

3. Do not use or at least do not rely on Authorize.NET's CIM Platform

We were developing this — and we have it partially implemented. However, CIM presents an awful single point of failure. If you use CIM to work with customer information and logins, your software must be able to fall back somehow — and the timeouts for the API requests would be extremely irksome. Really — what's the point of PCI compliance if you can't process orders at all whenever Authorize.NET drops the ball like this. I don't suggest storing credit card numbers — but at this point I have to think harder about completely relying on CIM.

Also — you might consider signing up with another failover gateway that supports Authorize.NET AIM-emulation. Nobody supports CIM-emulation, however, so reliance on CIM will preclude that option as well.

Our customers were able to recover most transactions because they went into a ORDER_FAIL state. I can only imagine how many people are upset today — you're not alone.