Back to Gateway Index
Authorize.Net logo
Payment Gateway

Authorize.Net

Veteran US/Canada payment gateway for merchants who already have (or want to bring) their own merchant account

Builder Verdict

Pick Authorize.Net when you already have a favourable merchant-account relationship and need a battle-tested gateway with ARB and CIM — skip it if you want Stripe-tier developer experience or native 3DS2.

Complexity

◆◆ Moderate

Region

US & Canada (merchant location)

Fees

$25/mo + 2.9% + 30¢ (All-in-One)

Authorize.Net is one of the oldest payment gateways in the industry, founded in 1996 and now a wholly-owned subsidiary of Visa (via CyberSource). It serves merchants based in the US and Canada primarily, offering a gateway-plus-merchant-account bundle (All-in-One) or gateway-only integration with an existing acquirer, and supports cards, eChecks (ACH), Apple Pay, Google Pay, and PayPal.

Last full audit: April 15, 2026

01

Trust Score Breakdown

Account Stability

74/100

Because the merchant account is separate from the gateway, Authorize.Net itself doesn't freeze funds the way aggregator-style processors do. Stability depends on the underlying MSP. Onboarding via partners like Zen Payments has drawn complaints in 2026 reviews, but post-approval accounts are generally stable.

Developer Experience

55/100

API is dated (XML-first with JSON translated to XML internally; strict element ordering required), documentation is functional but nowhere near Stripe-tier, and Authorize.Net does not natively support 3DS2 — merchants needing SCA must integrate a third-party like Cardinal Commerce. Webhooks v1 is being decommissioned in April 2026 (move to v2 required).

Payout Reliability

75/100

Payouts are handled by the underlying merchant account (CyberSource or partner acquirer), not Authorize.Net itself. With Visa as parent company and decades of uptime, funding is reliable when the acquirer is in good standing. Timing depends on the MSP rather than the gateway.

Support Quality

50/100

Trustpilot and G2 reviews repeatedly cite poor support: 'no tech staff there', long resolution times on integration errors, and difficulty getting answers on merchant-account-level questions that get deflected to the partner MSP. 24x7 live support is advertised but users report it is phone-first and slow to escalate developer issues.

Track Record

92/100

Founded in 1996, Authorize.Net is one of the oldest payment gateways in operation and is owned by Visa via CyberSource. Processes card and ACH for a large installed base of small/medium merchants with strong uptime (status.authorize.net shows only minor incidents). Continues to ship updates (webhooks v2, Accept.js, Accept Hosted).

Transparency

55/100

Published plan prices are clear ($25/month + 2.9% + 30¢ for All-in-One), but the Gateway-Only path layers gateway fees on top of an external merchant account's interchange-plus (or tiered) pricing. The CyberSource Internet Merchant Account fee schedule (monthly fee, authorization fee, qualified/non-qualified surcharges, chargeback, batch, network assessments) is only visible in a linked PDF — total effective rate is harder to calculate than with Stripe.

02

Availability Matrix

Region Countries Currencies Payout Timing
North America (merchant location) United States, Canada USD, CAD (processor-dependent; each Authorize.Net account is set to a single currency — a second currency requires a second account) Set by the underlying merchant account / acquirer (typically T+1 to T+3 business days)
UK, Europe, Australia (via CyberSource) United Kingdom, Australia, and 33 European countries — accepted only via the CyberSource onboarding path, not direct Authorize.Net signup USD, CAD, EUR, GBP, AUD and others depending on the CyberSource processor Set by CyberSource and the local acquirer
NOT available for direct signup All countries outside the US and Canada — Authorize.Net itself directs non-US/Canada merchants to contact CyberSource instead N/A N/A
03

Feature Snapshot

One-time Card Payments

Accepts Visa, Mastercard, Discover, American Express, JCB, and Diners Club via the Authorize.Net API, Accept.js, Accept Hosted, or Accept Customer flows.

Subscriptions / Recurring Billing (ARB)

Automated Recurring Billing (ARB) schedules recurring card or eCheck charges with trial periods. Runs batches daily around 08:30 GMT. Creating an ARB subscription also creates a CIM profile automatically when CIM is active.

Tokenization / Stored Cards (CIM)

Customer Information Manager (CIM) stores cards and bank accounts on Authorize.Net servers and issues profile IDs used in place of raw card data — reduces PCI scope and enables one-click repeat purchases.

Hosted Payment Page (Accept Hosted)

Accept Hosted is an iframe-based mobile-optimized payment form served from Authorize.Net — the most PCI-friendly option (SAQ A).

Custom Payment Form (Accept.js)

Accept.js is a JavaScript library that tokenizes card data client-side and returns a single-use payment nonce (valid 15 minutes) — keeps you at SAQ A-EP with your own UI.

~

Webhooks

Webhooks REST API covers transaction, customer profile, subscription, and fraud-filter events with HTTP Basic Auth. Webhooks v1 is being decommissioned in April 2026 — integrations must migrate to v2.

3D Secure 2 (SCA)

Authorize.Net does not natively support 3DS/3DS2 payer authentication. Merchants needing PSD2 SCA must pass through a third-party authentication provider such as Cardinal Commerce.

Apple Pay

Supported via the Authorize.Net Accept Mobile SDKs and the web Payment Request API. No separate fee.

Google Pay

Supported for American Express, Discover, JCB, Mastercard, and Visa. Available via web and the Accept Mobile SDKs.

PayPal

PayPal Express Checkout can be enabled as an additional payment method on an Authorize.Net account.

eCheck / ACH (eCheck.Net)

Accepts ACH bank-account debits at 0.75% per transaction with no fixed per-transaction fee. Returned-item fee applies via the merchant account.

Advanced Fraud Detection Suite (AFDS)

13 rules-based filters including hourly/daily velocity, amount thresholds, AVS handling, suspicious-transaction detection, and IP blocking. Free to enable.

Invoicing

Digital invoicing is bundled in both All-in-One and Gateway-Only plans.

Virtual Terminal

Merchant Interface includes a virtual terminal for MOTO / keyed-in transactions.

~

In-Person / POS

Authorize.Net supports card-present transactions through partner POS integrations; it is primarily positioned as a card-not-present gateway.

Marketplace / Split Payments

No native marketplace / connected-account splitting equivalent to Stripe Connect. Multi-party flows require custom merchant-account arrangements.

Multi-Currency on One Account

Each Authorize.Net account is locked to a single currency. Accepting a second currency requires creating a second Authorize.Net account.

04

Pricing Breakdown

All-in-One plan (gateway + merchant account) $25/month + 2.9% + 30¢ per card transaction
Gateway Only plan (bring your own merchant account) $25/month + 10¢ per transaction + 10¢ daily batch fee
Gateway + eCheck plan $25/month + 10¢ per transaction + 10¢ daily batch fee + 0.75% per eCheck
Setup fee $0 (no setup fee on published plans)
Chargeback fee (CyberSource-backed merchant account) $19.00 per chargeback
ACH return fee (CyberSource-backed merchant account) $20.00 per return
CyberSource Internet Merchant Account — monthly fee (when bundled) $9.95/month (in addition to the $25 gateway fee)
CyberSource Internet Merchant Account — authorization fee $0.25 per authorization
CyberSource qualified discount rate (Visa/MC/Discover) 2.19%
CyberSource non-qualified surcharge (Visa/MC/Discover) +1.45% on non-qualified transactions (rewards cards, business cards, international cards often fall here)
Monthly minimum discount (CyberSource) $25.00 minimum processing (charged if processing fees don't reach this)
Network fees (Visa/MC/Discover international assessments) Visa international 0.40%, MC cross-border 0.40% + international assessment 0.45%, Discover international processing 0.40% + service 0.55%
Early termination fee Waived
05

Security & Compliance

PCI DSS Authorize.Net renews PCI DSS compliance annually as a payment gateway service provider and is listed on the Visa Global Registry of Service Providers.
SOC 1 / SSAE-18 Validated annually by external auditors for SSAE-18 (SOC 1) reporting.
Merchant PCI scope Accept Hosted keeps the merchant at SAQ A (form is served from Authorize.Net in an iframe). Accept.js keeps the merchant at SAQ A-EP (raw card data never reaches merchant servers — returned as a 15-minute payment nonce).
3D Secure / SCA No native 3DS1 or 3DS2 support. Merchants needing PSD2-compliant Strong Customer Authentication must integrate through Cardinal Commerce or another external payer-auth provider.
Fraud prevention Advanced Fraud Detection Suite (AFDS) — 13 rules-based filters including velocity, amount, AVS, suspicious-transaction, and IP blocking.
Tokenization CIM stores payment credentials on Authorize.Net servers behind profile IDs; Accept.js issues single-use nonces.
Webhook authentication HTTP Basic Auth (API Login ID : Transaction Key, Base64-encoded) on delivery; signature-style verification added in Webhooks v2.
06

Integration Prompt

Copy & use this 6275-char integration prompt

Production-ready prompt for Claude / GPT / Cursor — handles setup, security, webhooks & gotchas

 
You are integrating Authorize.Net as a payment gateway into a [Django / Next.js / etc.] application.

## Setup
1. Create an Authorize.Net sandbox account at https://developer.authorize.net/hello-world/sandbox/ and a production merchant account (All-in-One) or a Gateway-Only account bonded to an existing merchant account.
2. From the Merchant Interface, collect three credentials and store them in environment variables — never hardcode:
   - `AUTHNET_API_LOGIN_ID` (Account → Settings → Security Settings → API Credentials & Keys)
   - `AUTHNET_TRANSACTION_KEY` (same screen — generate a new one and save it immediately, it cannot be retrieved later)
   - `AUTHNET_PUBLIC_CLIENT_KEY` (Account → Security Settings → Manage Public Client Key — this is the one used by Accept.js in the browser)
3. Add `AUTHNET_ENVIRONMENT` = `sandbox` or `production` and switch endpoints accordingly:
   - Sandbox: `https://apitest.authorize.net/xml/v1/request.api`
   - Production: `https://api.authorize.net/xml/v1/request.api`
4. Install the official SDK (e.g., `pip install authorizenet` for Python, `npm install authorizenet` for Node.js). Use the SDK rather than hand-rolling XML/JSON — Authorize.Net's API requires strict XML element ordering even when you send JSON.

## Recommended Integration: Accept.js (SAQ A-EP) or Accept Hosted (SAQ A)
For the lowest PCI scope and a modern flow, use Accept Hosted (iframe served from Authorize.Net) or Accept.js (your own form, client-side tokenization). Never submit raw PAN/CVV to your server.

### Accept.js flow
1. Load `https://jstest.authorize.net/v1/Accept.js` (sandbox) or `https://js.authorize.net/v1/Accept.js` (production) in your checkout page.
2. Build your card-entry form with `data-accept` attributes. Mark card fields so they are stripped before submission to your server.
3. On submit, call `Accept.dispatchData({ authData: { apiLoginID, clientKey }, cardData })`. Authorize.Net returns a single-use `opaqueData` payment nonce valid for 15 minutes.
4. Post the nonce (not the card data) to your server, then use the SDK to call `createTransactionRequest` with `payment.opaqueData` populated from the nonce.

### Server-side (Python example)
```python
from authorizenet import apicontractsv1
from authorizenet.apicontrollers import createTransactionController

merchant = apicontractsv1.merchantAuthenticationType(
    name=os.environ['AUTHNET_API_LOGIN_ID'],
    transactionKey=os.environ['AUTHNET_TRANSACTION_KEY'],
)

opaque = apicontractsv1.opaqueDataType(
    dataDescriptor='COMMON.ACCEPT.INAPP.PAYMENT',
    dataValue=nonce_from_client,
)
payment = apicontractsv1.paymentType(opaqueData=opaque)

tx = apicontractsv1.transactionRequestType(
    transactionType='authCaptureTransaction',
    amount=Decimal('20.00'),
    payment=payment,
    refId=internal_order_id,          # stamped into the transaction
)
request = apicontractsv1.createTransactionRequest(
    merchantAuthentication=merchant, transactionRequest=tx,
)
controller = createTransactionController(request)
controller.setenvironment(settings.AUTHNET_URL)
controller.execute()
response = controller.getresponse()
```

## Webhooks (migrate to v2 — v1 is decommissioned April 2026)
1. Create an endpoint on your server and register it under Account → Settings → Webhooks with the events you care about: `net.authorize.payment.authcapture.created`, `net.authorize.customer.subscription.cancelled`, `net.authorize.payment.refund.created`, etc.
2. Authorize.Net authenticates webhook delivery with HTTP Basic Auth (your API Login ID : Transaction Key, Base64-encoded) — validate this header on every request.
3. Verify the payload signature using the X-ANET-Signature header (HMAC-SHA512 of the body with your webhook signature key) — required on v2.
4. Return a 2xx quickly, then process asynchronously. Retry behaviour: Authorize.Net retries on 5xx.
5. Note the known 2026 issue: some webhook payloads have been missing the response code, amount, or transaction ID — always re-fetch the transaction by ID from the API to confirm final state rather than trusting the webhook body blindly.

## Recurring billing: ARB + CIM
- Use CIM (`createCustomerProfileRequest`) to store the card, then reference the customer/payment profile IDs in your app.
- Use ARB (`ARBCreateSubscriptionRequest`) to schedule recurring charges with interval, start date, total occurrences, trial period and trial amount. ARB batches run daily around 08:30 GMT.
- Listen for `net.authorize.customer.subscription.expiring`, `.suspended`, and `.cancelled` webhooks to keep your internal subscription state in sync.

## Security best practices specific to Authorize.Net
- Never ship the Transaction Key to the browser — only the Public Client Key is safe for client-side use.
- For UK/EU customers subject to PSD2 SCA, integrate Cardinal Commerce (or another payer-auth provider) in front of the gateway — Authorize.Net does not natively support 3DS1 or 3DS2.
- Enable Advanced Fraud Detection Suite (AFDS) filters: at minimum, hourly velocity, suspicious transaction, enhanced AVS handling, and IP blocking.
- Set a `refId` on every transaction equal to your internal order/invoice ID — this is the only reliable way to idempotently reconcile when a retry occurs.
- If you use Gateway-Only, request the full fee schedule from your MSP before going live — non-qualified surcharges and network assessments can push effective rates well above the headline number.

## Testing
- Use sandbox credentials and the sandbox endpoint. Test card numbers: `4111 1111 1111 1111` (Visa success), `4222 2222 2222 2222` (decline test), `6011 0000 0000 0012` (Discover).
- Test ARB behaviour by creating subscriptions with short (daily) intervals in the sandbox.
- Simulate webhook delivery using the AuthorizeNet/webhooks-postman-collection repo on GitHub.

## Common gotchas
- JSON elements must appear in the order documented in the API Reference — the server translates JSON to XML internally.
- Each Authorize.Net account is locked to a single currency. Multi-currency checkout requires multiple accounts routed by country.
- Authorize.Net does not natively split payments across multiple merchants — there is no Connect-style marketplace flow.
- The `refId` field is your idempotency lifeline. Use it.

Replace [Django / Next.js / etc.] with your stack. Follows PCI DSS best practices and handles common edge cases.

07

Common Pitfalls

7 items
1

No native 3D Secure 2 — SCA requires a third party

Authorize.Net does not support 3DS1 or 3DS2 natively. If you sell to customers in the UK/EU or anywhere PSD2 SCA applies, you must integrate a payer-authentication provider such as Cardinal Commerce on top of the gateway. This is the single most common surprise for merchants comparing Authorize.Net to Stripe or Adyen.

2

Webhooks v1 decommissioning in April 2026

Webhooks version 1 is being shut down in April 2026; existing endpoints must be migrated to Webhooks v2 via the Developer Center. If your integration is silently using v1 events, events will stop arriving — confirm the Merchant Interface shows v2 subscriptions and update handler payloads.

3

XML-first API with strict element ordering

Although the Authorize.Net API accepts JSON, it is internally translated to XML and requires the elements to be in the exact order shown in the API Reference. Sending valid JSON in the wrong key order produces confusing validation errors. Mitigation: use the official SDK for your language rather than hand-rolling requests.

4

Fee stacking on Gateway-Only and CyberSource-backed accounts

Published pricing is $25/mo + per-transaction, but the merchant account layer adds its own monthly fee, authorization fee, non-qualified surcharges (1.45% on rewards/business cards), batch fees, and network assessments (0.40–0.55% international). Effective rate on an international rewards card can exceed 5%. Mitigation: request a full fee schedule from your MSP before committing.

5

Merchants outside US/Canada get routed through CyberSource

Authorize.Net direct signup only accepts US- and Canada-based merchant accounts. UK, EU, and Australian merchants are routed to CyberSource — different contract, different fee schedule, different support queue. Onboarding through partner MSPs (e.g., Zen Payments) has drawn repeated complaints in 2026 reviews.

6

One currency per account

Each Authorize.Net account is configured for exactly one settlement currency. Merchants needing multi-currency settlement must open a separate Authorize.Net account per currency — there is no Stripe-style multi-currency toggle.

7

Support quality gap on developer issues

Trustpilot, G2, and Capterra reviews in 2025–2026 consistently cite slow, phone-first support and deflection to the partner MSP for merchant-account questions. Integration-level questions are answered in the community forum, but response times can be days. Mitigation: use the official SDKs and the Postman collections, and treat community.developer.cybersource.com as the primary support channel for code problems.

08

Community Pulse

Community sentiment in 2025–2026 is mixed and skews negative on developer experience and support. Long-time merchants praise reliability and the separation of gateway from merchant account (accounts rarely get frozen the way aggregator accounts do), and small/medium businesses value the mature ARB/CIM subscription plumbing. Frustrations cluster around the dated XML-first API, documentation that doesn't match Stripe's clarity, the absence of native 3DS2, opaque fee stacking when bundled with a CyberSource merchant account, and slow support (particularly on onboarding through partners like Zen Payments). Authorize.Net remains recommended primarily when an existing merchant-account relationship or a legacy integration makes switching uneconomical.

💬 Authorize.Net Reviews — Trustpilot Trustpilot · 2026
💬 authorize.net Reviews 2026 G2 · 2026
💬 Challenges with Authorize.Net API — Seeking Advice CyberSource Developer Community · 2025
💬 Authorize.net Reviews & Complaints CardPaymentOptions · 2026
💬 Stripe vs Authorize.net: Payment Gateway Comparison 2026 Contra Collective · 2026

Sentiment last updated: April 2026 · We summarize — never copy — community content. Links go to original threads.

09

Changelog

  1. logo

    Added brand logo — rendered 400×53 transparent PNG via resvg_py from the Wikimedia Commons Authorize.Net wordmark SVG (depicted text is ineligible for copyright). Brightness 0 (pure black wordmark) → no logo_bg needed, default cream card applies.

  2. pricing

    Initial pricing verified: $25/mo All-in-One at 2.9%+30¢; Gateway-Only at $25/mo + 10¢/tx + 10¢ batch; eCheck at 0.75%. Added full CyberSource Internet Merchant Account fee schedule (monthly $9.95, auth $0.25, qualified 2.19%, non-qualified +1.45%, chargeback $19, ACH return $20, minimum $25, network assessments).

  3. availability

    Initial availability verified: direct signup US+Canada only; UK/EU/AU routed through CyberSource; each account locked to one currency.

  4. features

    Initial feature matrix populated (17 items) — ARB, CIM, Accept.js, Accept Hosted, webhooks (v1 decommissioning Apr 2026), Apple Pay, Google Pay, PayPal, eCheck, AFDS, invoicing, virtual terminal. 3DS2, marketplace splits, and multi-currency on one account marked 'no'.

  5. security

    Initial security record: PCI DSS annual renewal as service provider, SOC 1/SSAE-18 audited, Accept Hosted = SAQ A, Accept.js = SAQ A-EP, no native 3DS/3DS2.

  6. pitfalls

    Initial pitfalls list (7 items) — no 3DS2, webhooks v1 decommission, XML element ordering, fee stacking, US/CA direct-signup only, one currency per account, support quality.

  7. community

    Initial community pulse synthesized from Trustpilot, G2, CardPaymentOptions, CyberSource developer community, and 2026 comparison coverage.

  8. trust_score

    Initial trust score: overall 67. Strong track_record (92) and payout_reliability (75); weakness on developer_experience (55), transparency (55), and support_quality (50).

  9. integration_prompt

    Initial integration prompt authored — Accept.js / Accept Hosted preferred for lowest PCI scope; Webhooks v2 migration called out; Cardinal Commerce noted as 3DS2 fallback.

  10. all

    Initial gateway entry created end-to-end via /add-payment-gateway.

Back to Gateway Index

LearnWithHasan.com · Payment Gateway Index · No affiliate links · Builder-first