Authorize.Net
Authorize.Net is a payment gateway service that enables merchants to accept credit card, debit card, electronic check, and digital wallet payments securely through online, in-person, mobile, and over-the-phone channels.[1] As a wholly owned subsidiary of Visa, it simplifies transaction processing, fraud prevention, and payment management for businesses of all sizes.[1] Founded in 1996, Authorize.Net has evolved into a trusted platform serving over 445,000 merchants worldwide, processing more than 1 billion transactions and $149 billion in payments annually (as of 2025).[1] In 2010, Visa acquired Authorize.Net as part of its $2 billion purchase of parent company CyberSource Corporation, integrating it into Visa's broader payment ecosystem to enhance global merchant services.[2] In April 2025, Visa announced a reimagining of Authorize.Net, introducing AI-powered fraud protection, unified checkout capabilities, and a streamlined user interface to further enhance merchant services.[3] Key features include the Advanced Fraud Detection Suite (AFDS) with configurable filters[4] and 3D Secure authentication for risk mitigation,[5] tokenization to protect sensitive data,[6] and tools like the Virtual Terminal for manual order entry[7] and Customer Information Manager (CIM) for storing billing profiles.[8] It also supports recurring billing, automated invoicing, and integration with e-commerce platforms via APIs, allowing seamless scalability for small businesses to enterprises.[9] Authorize.Net operates through a network of reseller partners, including independent sales organizations and financial institutions, to provide flexible pricing and support.[1]History
Founding and Early Development
Authorize.Net was founded in 1996 in Utah by Jeff Knowles, a credit card terminal salesman who recognized the growing need for secure online payment solutions as the internet began enabling e-commerce.[10] Knowles, who had studied computer science and business at Brigham Young University and the University of Phoenix, drew on his technical background from roles at WordPerfect Corporation to develop the company's initial infrastructure.[11] Prior to founding Authorize.Net, he had worked as an engineer and received extensive training in software and networking, which informed his vision for bridging online merchants with payment processors.[11] The company's early purpose centered on creating a payment gateway that facilitated real-time credit card authorizations over the internet without requiring merchants to store sensitive card data on their own systems, thereby enhancing security in an era when online transactions were nascent and fraught with risks.[11] Launched in April 1997 after six months of development, Authorize.Net introduced secure processing using HTTPS and SSL encryption, connecting directly to processors like First Data via leased lines to enable instant approvals.[11] This innovation coined the term "payment gateway" and addressed the limitations of earlier methods, such as email or fax-based submissions, by providing a standardized, automated interface for transaction handling.[11] Amid the late 1990s e-commerce boom, Authorize.Net experienced rapid initial growth by partnering with merchant account sales agents and achieving profitability almost immediately through modest seed funding of $100,000 from friends and family.[11] The platform's core technology supported the surge in online retail, offering tools like APIs and virtual terminals that simplified integration for early adopters.[11] By 1999, this foundational development positioned the company for acquisition by Go2Net, Inc., marking the end of its independent early phase and paving the way for broader evolution under new ownership.[10]Acquisitions and Ownership Changes
In 1999, Authorize.Net was acquired by Go2Net, Inc., a Seattle-based internet services company backed by Microsoft co-founder Paul Allen through his Vulcan Ventures investment arm, for $90.5 million consisting of $13.5 million in cash and $77 million in stock.[12][13] This transaction integrated Authorize.Net into Go2Net's broader portfolio of e-commerce and online services, positioning it as a key component for facilitating secure payment processing amid the rapid growth of internet commerce.[14] By 2007, Authorize.Net underwent another significant ownership change when it was purchased by CyberSource Corporation, a provider of electronic payment and risk management solutions, in a stock-and-cash deal valued at approximately $565 million based on the closing prices of the NASDAQ Global Market System on the announcement date.[15] The acquisition enhanced CyberSource's capabilities by combining Authorize.Net's established small-business payment gateway with CyberSource's advanced fraud detection and risk management tools, enabling a more comprehensive suite of services for merchants across various e-commerce segments.[16][17] In 2010, CyberSource was acquired by Visa Inc. for $2 billion in cash, rendering Authorize.Net a wholly owned subsidiary of the global payments giant and aligning its operations with Visa's extensive network of financial institutions and merchants.[2] This move bolstered Authorize.Net's strategic position by leveraging Visa's international infrastructure to support cross-border transactions and reduce fraud exposure for online merchants.[18] Following the 2010 acquisition, Authorize.Net experienced strategic expansions under Visa's ownership, including deepened integration with Visa's payment ecosystem to facilitate global merchant adoption and enhanced developer tools for seamless connectivity to Visa's authorization and clearing systems.[2] These developments extended Authorize.Net's reach beyond the U.S. market, enabling it to process transactions in multiple currencies and support international e-commerce growth while maintaining its focus on secure, scalable payment solutions.[19]Outages and Incidents
One of the most significant outages in Authorize.Net's history occurred on July 2, 2009, when a small electrical fire broke out in the basement of Fisher Plaza, a data center in Seattle where the company's primary infrastructure was hosted.[20][21] The fire triggered a power failure that disrupted services across multiple tenants, including Authorize.Net, leading to widespread downtime for its website and payment processing capabilities that lasted several hours.[22][23] During this period, e-commerce transactions relying on Authorize.Net's gateway were halted, preventing credit card authorizations and affecting online merchants globally.[21] The 2009 incident had substantial impacts on Authorize.Net's merchant base, with thousands of websites unable to process payments, resulting in lost revenue during a holiday weekend peak period.[22][21] E-commerce vendors reported significant disruptions, including delayed orders and customer frustrations, leading to complaints about the lack of redundancy in the infrastructure at the time.[22] Services were restored by early afternoon on July 3, 2009, after failover efforts to backup systems, but the event highlighted vulnerabilities in single-site dependency.[23][24] In more recent years, Authorize.Net has experienced intermittent service disruptions documented through its official status reports. For instance, in September 2025, login problems with the mPOS 2.0 mobile app on iOS devices impacted users' ability to access merchant interfaces, lasting approximately 22 hours before resolution.[25] A further incident on November 10, 2025, involved payment gateway processing failures for select customers, resolved within about 3.5 hours.[25] On November 18, 2025, a login issue with the Merchant and Partner Interface affected customer access from 13:20 GMT to 14:35 GMT (1 hour 15 minutes) before full resolution.[25] These events, while shorter in duration than the 2009 outage, underscored ongoing challenges with API reliability and mobile access during high-traffic periods. Authorize.Net maintains response protocols centered on real-time communication via its status page, where updates on incidents, estimated resolution times, and post-event analyses are posted for subscribers and users.[26][27] Following disruptions, the company conducts internal reviews to identify causes and implement mitigations, such as enhanced failover mechanisms to improve infrastructure resilience against power or connectivity failures.[25] These measures, supported by Visa's oversight since its 2010 acquisition of parent company CyberSource, have contributed to reduced outage frequencies in subsequent years.[25]Services and Features
Payment Processing Capabilities
Authorize.Net supports a wide range of payment methods, enabling merchants to accept transactions through online, in-person (retail), mobile, and over-the-phone channels. Key payment types include major credit cards such as Visa, Mastercard, American Express, Discover, JCB, and UnionPay; electronic checks (eChecks) for ACH payments; and digital wallets like Apple Pay and PayPal. EMV chip cards are also accommodated for secure in-person processing. This versatility allows businesses in the US, Canada, and Australia to handle both domestic and international payments.[28] The core transaction flow begins with the merchant submitting payment data via the Authorize.Net gateway, which performs real-time authorization to verify fund availability with the issuing bank. Upon approval, merchants can capture the transaction to initiate processing, followed by settlement where funds are deposited into the merchant's bank account, typically within one to two business days. Authorize.Net ensures merchants do not store sensitive card data directly; instead, it uses tokenization through the Customer Information Manager (CIM) to securely hold payment details on Authorize.Net's servers, reducing PCI DSS compliance burdens.[29][8] Recurring payments are facilitated by Automated Recurring Billing (ARB), which supports subscription-based billing for credit cards and eChecks with customizable schedules, installment options, trial periods, and multiple payment methods per profile. As of September 2024, there is no maximum duration limit on subscriptions. Customer profiles store billing, shipping, and tokenized payment information—up to 10 payment profiles and 100 shipping addresses per customer—for streamlined future transactions, including one-click repeat purchases. The Merchant Interface provides an online portal to monitor subscription status and transaction history.[30][6][31] Order tracking is managed through the Merchant Interface's transaction search and reporting features, allowing merchants to locate specific transactions by ID, date, amount, or partial card/account details and review full details such as authorization codes, fees, and status updates. Inventory management capabilities are available via integrations with e-commerce platforms and third-party tools that connect to Authorize.Net for real-time order synchronization and stock updates.[32][33] Compatibility extends to manual processing via the Virtual Terminal for phone or in-person entry, seamless website integrations for e-commerce carts, and mobile apps with encrypted card readers for on-the-go acceptance. These options provide flexibility for diverse business models, from small retailers to online enterprises. Integrated fraud prevention tools further secure these processes by analyzing transaction patterns in real time.[34][9]Fraud Prevention and Management Tools
Authorize.Net provides a suite of tools designed to help merchants detect, prevent, and manage fraudulent transactions during payment processing. These tools integrate seamlessly with the platform's payment acceptance features to add protective layers without disrupting legitimate transactions.[4] The Advanced Fraud Detection Suite (AFDS) is a core component, offering a set of rules-based transaction filters and Internet Protocol (IP) address tools to screen incoming payments in real time. It includes 13 configurable filters that evaluate factors such as transaction velocity, amount thresholds, shipping and billing address mismatches, and IP location discrepancies. For instance, velocity checks monitor the number of transactions per card, per hour, or per IP address to flag potential card-testing attempts, while enhanced Address Verification Service (AVS) and Card Verification Value (CVV) handling ensures stricter matching of provided details against issuer records. Merchants can customize filter actions, ranging from reporting suspicious activity for review to automatically declining high-risk transactions, with the most severe action applied if multiple filters trigger.[35][4] Complementing AFDS, the Customer Information Manager (CIM) enables merchants to tokenize and securely store customer payment profiles on Authorize.Net's servers, minimizing the handling of sensitive data and reducing the scope of PCI compliance requirements. This storage facilitates safer repeat transactions by allowing customers to reference pre-saved profiles via tokens, thereby lowering the risk of fraud associated with re-entering card details and enabling better tracking of customer behavior across sessions.[8][36] Rule-based filtering within AFDS allows for tailored alerts on suspicious patterns, such as high-value orders from unusual IP locations or rapid successive transactions from the same source. Merchants can set parameters for geographic restrictions, session durations, and sequential card usage to generate notifications via email or interface alerts, enabling proactive intervention before fraud escalates.[35][37] For post-processing management, Authorize.Net offers reporting tools accessible through the merchant interface, including Transaction Search for viewing fraud filter results and analytics on declined or held transactions. These reports help identify emerging fraud trends by aggregating data on patterns like repeat disputes. Additionally, the Cardholder Dispute Resolution Network (CDRN) assists in managing chargebacks by providing automated notifications and tools to respond to disputes, potentially reducing losses and account risks through timely resolutions.[33][38]Technical Integration
APIs and Developer Resources
Authorize.Net provides a comprehensive set of APIs designed for secure payment processing, enabling developers to integrate payment functionalities into applications. The primary API endpoint is hosted athttps://apitest.authorize.net/xml/v1/request.api for sandbox testing and https://api.authorize.net/xml/v1/request.api for production, supporting XML-based requests for authentication via API Login ID and Transaction Key.[39]
Key endpoints in the API reference include those for payment transactions, managed through the createTransactionRequest method. This endpoint supports various transaction types, such as authCaptureTransaction for authorizing and immediately capturing credit card payments, authOnlyTransaction for authorization without capture, priorAuthCaptureTransaction for capturing previously authorized funds using a reference transaction ID, and captureOnlyTransaction for capturing funds authorized via non-API channels like phone orders with an authorization code. For example, a charge request includes merchant authentication, payment details (e.g., card number, expiration, amount), and order information, returning a transaction ID, authorization code, and status upon success.[40]
Customer profiles are handled via endpoints like createCustomerProfileRequest and createCustomerPaymentProfileRequest, allowing storage of customer data for recurring or one-click payments without retaining sensitive information on the merchant's servers. These APIs generate a unique customerProfileId and customerPaymentProfileId for future transactions, supporting features like updating or deleting profiles while adhering to tokenization for security.[39]
eCheck processing is integrated into the same createTransactionRequest endpoint, using bank account details (routing number, account number, and account type such as checking or savings) in place of card information to initiate electronic check transactions. This supports ACH transfers for one-time or recurring payments, with responses indicating approval or holds based on bank verification.[41]
Transaction response codes provide standardized feedback on API calls and payments, categorized as follows: code 1 for approved transactions, 2 for declined (e.g., insufficient funds), 3 for errors (e.g., invalid data), and 4 for held for review (e.g., fraud suspicion). Additional details include AVS result codes (e.g., Y for full address match) and CVV codes (e.g., M for match), with message codes like I00001 for success; a full lookup tool is available for detailed interpretation.[42]
The Developer Center at developer.authorize.net offers essential tools for integration, including a sandbox environment that mirrors production but processes no real charges, allowing safe testing with separate credentials. It provides sample code in multiple languages (e.g., PHP, .NET, Java, Ruby, Python, Node.js via GitHub SDKs), editable request bodies for prototyping API calls, and interactive documentation for quick experimentation.[43][44][45]
Webhooks enable real-time notifications for events such as transaction approvals, refunds, disputes, or recurring billing updates, configured via POST requests to the /webhooks endpoint with a secure URL on the developer's server. Notifications are authenticated using a shared secret and can be verified for integrity, supporting asynchronous event handling without polling.[46]
The Accept suite simplifies integration by providing hosted payment forms and SDKs to reduce PCI compliance scope. Accept Hosted offers a mobile-optimized, Authorize.Net-hosted form for collecting payments, requested via getHostedPaymentPageRequest to generate an iframe embed token. Accept.js, a JavaScript library, securely tokenizes card data client-side before submission to the API, minimizing server exposure to sensitive information. Mobile-specific SDKs are available for iOS and Android to extend these capabilities.[47][48][49]