After getting really excited that Authorize.net's DPM would eliminate any PCI issues, I discovered that it doesn't work with ARB or CIM. Thus, there's now way with DPM to handle recurring donations.
I settled on using Recurly (http://www.recurly.com) which seems pretty reasonable option. Their recurly.js library and the python library published on pypi make a PCI compliant integration to manage recurring billing pretty easy. Since they charge 1.25% plus $.10 on top of merchant account fees, it still makes sense to use Authorize.net's DPM for one time donations. There's a $69/month minimum.
A goal of the system was to keep credit card data far enough away from the system to allow for PCI SAQ A. Using DPM and Recurly seems to accomplish that goal.
Initiating recurring donations in Recurly requires the following changes on the python side:
- Control panel fields for subdomain, api key, and private key
- Control panel field for plan code. * NOTE: This should probably be changed to be set per campaign for great flexibility
- A view method to generate a signature for the javascript which is passed through the view's template. The method just needs the plan name and the recurly python library
- A view to receive the post callback after successful subscription creation. This method receives a token via post. The recurly python library can then be used to fetch the subscription details from the Recurly API and redirect the user to the thank you page.
On the javascript side, loading the Recurly form is pretty simple. You pass some config variables and a jquery selector of where to place the form and the form is injected into the page's html. The form html is very elegantly structured with good selectors allowing for easy customization.
There is a Salesforce integration available from Recurly but it is an additional monthly charge. I still need to figure out how to integrate the payments and subscription profiles.
The recurly.js library also allows for creation of Update Subscription forms allowing users to update their billing information from your website while keeping all credit card data flowing through PCI Level 1 channels. Integrating subscription updating should be on the list as well.