Do You Know Where YOUR Credit Card Number Is?
Posted by Chris Shorrock Wed, 09 Aug 2006 19:50:00 GMT
Now I’m not here to name names, or call people out on their bad designs, but there is something very scary about how credit card processing works. As someone who has had to implement credit card processing using a variety of different processors for a variety of different companies I’m always amazed by the amateur status of almost (as their are a few rare exceptions) all credit card APIs.
For those of you who are wondering what the problem is, let me enlighten you, these APIs seem to have been designed by monkeys. It’s my belief that these companies have employed the infinite monkey theorem to get things done. I can’t speak to what happens after you send you’re information to these companies as the process is (as it should be) a black box, but if the client interface is any example you should be afraid, very very afraid.
Now considering that my monkey theorem presented above is correct, I have to applaud the monkeys for at least getting the documentation correct some monkey needs to be spanked for the awful documentation that is presented to developers of almost every system. Let’s take a peek at an the XML structure for an unnamed payment processor.
<auth>
<order>
<orderDescription>order12312323</orderDescription>
<customerPaymentPageText>M123456789</customerPaymentPageText>
<currencyText>USD</currencyText>
<amount>100.00</amount>
</order>
<card>
<cardHolderName>Steve Smith</cardHolderName>
<cardNo>8005787962</cardNo>
<securityCode>123456789</securityCode>
<cardTypeText>BLAH</cardTypeText>
<ipaddress>192.168.1.1</ipaddress>
</card>
<option>
<useroption>100000000000000000000000000000</useroption>
</option>
</auth>Looks good? Sure it looks ok, until you start looking at the description for each of these fields:
cardNo: you would expect this to the card number of the card. However, the monkeys thought differently, this is actually a 1-800 number. Yes, that’s right, a phone number is stored in the cardNo field.
useroption: What’s this happy little fella? Most processors give you some level of customizability, this is this processors attempt at this. The problem lies in that if you omit this field or if it does not equal 100000000000000000000000000000 you will get an error which reads Request Timed Out from Processor - Connect switch. So there’s a field that is required that is meant to provide customizability, yet can only contain 1 value or else you get an error that reads like it was a configuration problem? Yes - thank you monkey, thank you for the for the 4 hour headache this caused as I worked out the problem with your technical support monkey who I’m sure was reading answers out of a book.
Does it work? Yes, eventually, after costing more development money than it should.
Is it scary? YES^2.
Why is it what should be an uber-professional API is almost always is a gong show? Marketing - because these processors have a nice looking website, with flashy buzzwords, the powers that be, WOW’d by the shiny objects, will always go with the service thats has the most shine. What they neglect to realize is that the company has thrown the monkeys in the back room while they smear their poo on the wall. Not so shiny in that room…
