License:	MIT License
Labels:	rails, creditcards, ruby

Join project

Project owners:
	joevandyk

Want your Web App to store credit card data? Use monkeycharger.

NOTE: See http://repo.or.cz/w/monkeycharger.git for future updates

Store credit cards via the REST api. Then, you can authorize and capture amounts on those stored cards (or do one-time authorizations/captures on a non-saved card). Uses ActiveMerchant for authorizing and capturing.

Credit card numbers are stored in the database. As such, you'll want to run this application on a very secure machine. When saving the credit card, you'll need to supply a unique key (I call it "passphrase"). You'll need to use the correct passphrase when authorizing a saved card.

API summary

Storing Credit Cards

POST /credit_cards.xml use with parameters such as number, cvv, month, year, name, etc. You'll also need to supply a passphrase parameter. Use the passphrase parameter when authorizing against the saved card.

Uses the ActiveResource conventions. But this might change -- ActiveResource might be overkill for this.

Authorizing credit cards

POST /authorizations.xml use parameters amount and the same credit card group as above.
POST /authorizations.xml use parameters amount and a credit_card_id.

Both these return a transaction_id and a X-AuthorizationSuccess HTTP header on success, or text that represents the failure reason if it failed to authorize the card.

Capturing

POST /captures.xml use parameters amount and transaction_id.

If the capture was successful, the X-CaptureSuccess HTTP header will be set. If not successful, will return the reason why.

Cancelling

POST /cancelations.xml use parameter transaction_id.

Refunds

POST /refunds.xml use parameters amount, transaction_id, and last_four_digits_of_credit_card

Comments? I hope to finish this up in the next few days. There's a plugin in vendor/plugins/monkey_charger that you'd install to your Rails application in order to use this (optional).

I'd really like someone who knows encryption to look at how I handle the credit card encryption and make sure it's somewhat sane.

Remote Key Clarification

Here's an email I sent in response to a question:

The "remote key" is a way to make sure that, if someone hacked their
way into the credit card server, they couldn't decrypt it without the
remote key that's stored by the client of the monkeycharger
application.

I should probably call the remote key "salt" instead.  It changes (or
is supposed to change) for each credit card.

So the process is:

- Website takes credit card, generates salt or remote key
- Stores credit card on monkey charger -- sending the salt
- When I want to do an authorization on the card, I send the salt
along with the authorization request.  This lets the monkeycharger
application decrypt the credit card number to send to the card
processor.

Rails Way Writeup

Jamis Buck did a write-up on monkeycharger: http://www.therailsway.com/2007/9/3/using-activeresource-to-consume-web-services