Authorizing and Capturing Credit Card Transactions with and PHP/MySQL

This is a quick guide intended for anyone who wants to make some money online. I will be covering the Advanced Integration Method (AIM) which is fully documented elsewhere. Their documentation is excellent, but it does little for PHP/MySQL.

Things you will need:

  • A server with PHP/MySQL and cURL
  • An merchant account. Not a Merchant? Contact Authorize.
  • An SSL certificate on the server you’re using
  • A basic understanding of PHP and cURL

Step 0: Terminology

  • Validate – before we go out and hit we need to make every effort to ensure the data we sent them is valid. This involves basic input validation and taking the credit card number through what is called the Luhn algorithm (wikipedia link contains a sample PHP function)
  • Authorize – verify that the card could be charged for an amount.
  • Capture – actually charge the card a specified amount.
  • Transaction – completion of at least the authorization step
  • PCI Compliance – PCI stands for Payment Cardholder Institute. It’s basically a consortium of American Express, JCB, MasterCard, and VISA International who have set forth security guidelines that developers must be privvy to in order to legally store customer payment data.

Step 1: Preparing the Data

The required fields for a successful Credit Card transaction are:

  • x_login (constant, will provide this)
  • x_tran_key (constant, will provide this)
  • x_delim_data (x_delim_char, x_encap_char) – you can specify how Authorize.NET returns data to you. The delimiting character I used was ”|” and the encapsulating characters I used were “”. So my data would look like: “1”|”The transaction was approved.”
  • x_amount – an amount. No dollar sign. 00.00
  • x_method – set this to “CC”.
  • x_type – Defaults to AUTH_CAPTURE. Depending on your business needs you may/may not want to Authorize and Capture on the spot. Check the documentation for other settings.
  • x_card_num – the Luhn validated credit card number.
  • x_exp_date – card’s expiration date. A variety of formats will work. I’m partial to MM-YYYY. PHP date(“m-Y”, $exp_date).
  • x_card_code – CVV code

You’ll want to gather all of this data into a POST string, like this one:


This can be done a variety of ways in PHP. From an example gotten at

$authnet_values= array
“x_login”=> $auth_net_login_id,
“x_version”=> “3.1”,
“x_delim_char”=> “|”,
“x_delim_data”=> “TRUE”,
“x_url”=> “FALSE”,
“x_type”=> “AUTH_CAPTURE”,
“x_method”=> “CC”,

“x_tran_key”=> $auth_net_tran_key,
“x_relay_response”=> “FALSE”,
“x_card_num”=> “4242424242424242”,
“x_exp_date”=> “1203”,
“x_description”=> “Recycled Toner Cartridges”,
“x_amount”=> “12.23”,
“x_first_name”=> “Charles D.”,
“x_last_name”=> “Gaulle”,
“x_address”=> “342 N. Main Street #150”,
“x_city”=> “Ft. Worth”,
“x_state”=> “TX”,
“x_zip”=> “12345”,

$fields = “”;
foreach( $authnet_values as $key => $value ) $fields .= “$key=” . urlencode( $value ) . “&”;

Step 2: Sending to

There are two URLs you can use to send to

  1. – testing only
  2. – production only

The PHP:

$ch = curl_init(“”);
curl_setopt($ch, CURLOPT_HEADER, 0); // removes HTTP headers from response
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // Returns response data
curl_setopt($ch, CURLOPT_POSTFIELDS, rtrim( $fields, “& ” )); // use HTTP POST to send form data
$authorize_response = curl_exec($ch); //execute post and get results
curl_close ($ch);

Testing the transactions can be a pain.

Here are some numbers to test your transactions with:

  • Visa: 4111-1111-1111-1111
  • MasterCard: 5431-1111-1111-1111
  • Amex: 341-1111-1111-1111
  • Discover: 6011-6011-6011-6611

Step 3: Parsing Authorize’s Response will send back a response to you, stored in $authorize_response. It will vary depending on the delimiters you set up in your cURL request. It should look something like this:


Again, this string depends on what you sent to Authorize.NET via cURL. You’ll now want to make heavy use of PHP’s explode function and deal with what happens in your application when there is success, failure, or other errors.

The big one is the first field you receive back. It’s referred to as “ResponseCode”. There are three different ResponseCodes—1 = Approved, 2 = Declined, 3 = Error. After you receive a ResponseCode of 1—and only after that can you consider the transaction complete and start fulfilling the order.

Read up in the AIM documentation for more about response codes. – It’s under “Gateway Response API”. also provides sample PHP code if you’re still having trouble.

See also…


About andyhillky
I'm cool.

One Response to Authorizing and Capturing Credit Card Transactions with and PHP/MySQL

  1. adam says:

    fo reel i have always wanted to do this, it’s a possibility… when are you thinking about goin? schedule and $ only issues for me… btw wtf is static line? LOL SKYDIVE CONNECTED TO ZIPLINE

%d bloggers like this: