Authorizing and Capturing Credit Card Transactions with Authorize.net and PHP/MySQL

This is a quick guide intended for anyone who wants to make some money online. I will be covering the Authorize.net Advanced Integration Method (AIM) which is fully documented elsewhere. Their documentation is excellent, but it does little for PHP/MySQL.

Things you will need:

• A server with PHP/MySQL and cURL
• An Authorize.net merchant account. Not a Merchant? Contact Authorize.
• An SSL certificate on the server you’re using
• A basic understanding of PHP and cURL

Step 0: Terminology

• Validate – before we go out and hit Authorize.net we need to make every effort to ensure the data we sent them is valid. This involves basic input validation and taking the credit card number through what is called the Luhn algorithm (wikipedia link contains a sample PHP function)
• Authorize – verify that the card could be charged for an amount.
• Capture – actually charge the card a specified amount.
• Transaction – completion of at least the authorization step
• PCI Compliance – PCI stands for Payment Cardholder Institute. It’s basically a consortium of American Express, JCB, MasterCard, and VISA International who have set forth security guidelines that developers must be privvy to in order to legally store customer payment data.

Step 1: Preparing the Data

The required fields for a successful Authorize.net Credit Card transaction are:

• x_login (constant, authorize.net will provide this)
• x_tran_key (constant, authorize.net will provide this)
• x_delim_data (x_delim_char, x_encap_char) – you can specify how Authorize.NET returns data to you. The delimiting character I used was ”|” and the encapsulating characters I used were “”. So my data would look like: “1”|”The transaction was approved.”
• x_amount – an amount. No dollar sign. 00.00
• x_method – set this to “CC”.
• x_type – Defaults to AUTH_CAPTURE. Depending on your business needs you may/may not want to Authorize and Capture on the spot. Check the documentation for other settings.
• x_card_num – the Luhn validated credit card number.
• x_exp_date – card’s expiration date. A variety of formats will work. I’m partial to MM-YYYY. PHP date(“m-Y”, $exp_date).
• x_card_code – CVV code

You’ll want to gather all of this data into a POST string, like this one:

x_login=abc&x_tran_key=123…&x_card_code=234

This can be done a variety of ways in PHP. From an example gotten at Authorize.net:

$authnet_values= array
(
"x_login"=> $auth_net_login_id,
"x_version"=> "3.1",
"x_delim_char"=> "|",
"x_delim_data"=> "TRUE",
"x_url"=> "FALSE",
"x_type"=> "AUTH_CAPTURE",
"x_method"=> "CC",

"x_tran_key"=> $auth_net_tran_key, "x_relay_response"=> "FALSE",
"x_card_num"=> "4242424242424242",
"x_exp_date"=> "1203",
"x_description"=> "Recycled Toner Cartridges",
"x_amount"=> "12.23",
"x_first_name"=> "Charles D.",
"x_last_name"=> "Gaulle",
"x_address"=> "342 N. Main Street #150",
"x_city"=> "Ft. Worth",
"x_state"=> "TX",
"x_zip"=> "12345",
);

$fields = "";
foreach( $authnet_values as $key => $value ) $fields .= "$key=" . urlencode( $value ) . "&";

Step 2: Sending to Authorize.net

There are two URLs you can use to send to Authorize.net:

1. https://certification.authorize.net/gateway/transact.dll – testing only
2. https://secure.authorize.net/gateway/transact.dll – production only

The PHP:

$ch = curl_init("https://certification.authorize.net/gateway/transact.dll");
curl_setopt($ch, CURLOPT_HEADER, 0); // removes HTTP headers from response
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // Returns response data
curl_setopt($ch, CURLOPT_POSTFIELDS, rtrim( $fields, "& " )); // use HTTP POST to send form data
$authorize_response = curl_exec($ch); //execute post and get results
curl_close ($ch);

Testing the transactions can be a pain.

Here are some numbers to test your transactions with:

• Visa: 4111-1111-1111-1111
• MasterCard: 5431-1111-1111-1111
• Amex: 341-1111-1111-1111
• Discover: 6011-6011-6011-6611

Step 3: Parsing Authorize’s Response

Authorize.net will send back a response to you, stored in $authorize_response. It will vary depending on the delimiters you set up in your cURL request. It should look something like this:

“X”|”XXX”|”XX”|”XX”|”X”|”X”|”X”|”X”|”X”|”X”|”X”

Again, this string depends on what you sent to Authorize.NET via cURL. You’ll now want to make heavy use of PHP’s explode function and deal with what happens in your application when there is success, failure, or other errors.

The big one is the first field you receive back. It’s referred to as “ResponseCode”. There are three different ResponseCodes—1 = Approved, 2 = Declined, 3 = Error. After you receive a ResponseCode of 1—and only after that can you consider the transaction complete and start fulfilling the order.

Read up in the Authorize.net AIM documentation for more about response codes. – It’s under “Gateway Response API”.

Authorize.net also provides sample PHP code if you’re still having trouble.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

Back to Andy Hill's homepage