Authorize.Net CIM With Stored Cards



Magento Platform
Open Source (CE)
2.0, 2.1, 2.2, 2.3
Commerce using on prem (EE)
2.0, 2.1, 2.2, 2.3
Extends Page Builder

Tech Specifications

Current Version:
Stable Build
30 August, 2019
Extensions, Payments & Security, Payment Integration
Supported Browsers:
Chrome Linux: 42, 43, 44 Mac: 39, 44 Windows: 39, 40, 42, 43, 44
License Type:


Certified by Authorize.Net.  The convenience of stored credit cards, with uncompromising security.


Back to top

Authorize.Net is one of the world's largest payment gateways, serving over 400,000 merchants. Their services allow you to accept payment from your customers, by credit card or eCheck, straight from your website. This extension brings Authorize.Net's  Customer Information Manager (CIM) service to Magento 2. Authorize.Net CIM takes payment processing to a whole new level, by allowing your customers to store their payment info on Authorize.Net's secure servers. This gives you and your customers the convenience of stored credit cards, with all the security of Authorize.Net. It also allows us to give you many advanced features that most payment methods aren't capable of.


Account & Pricing

There is no extra fee for the Customer Information Manager service, but you must have an active Authorize.Net account. Authorize.Net's standard account fees are $25/mo and 2.9% + $0.30 per transaction. See here for complete pricing info. Sign up for an Authorize.Net merchant account if you don’t have one already.



This module supports all standard payment actions. It also allows customers to save their payment info for future use. This gives returning customers the convenience of stored credit cards and rapid checkout, without breaking PCI compliance.

The first time a customer checks out, they are given a form to enter credit card details. If they choose to save the card, next time they check out they can reuse that card with a single click. Your customers can also view, add, edit, and delete any of their stored payment info through a 'Manage My Cards' interface in their account. All frontend features are also available in the Magento Admin Panel.

  • Pay by credit card or ACH (eCheck)*
  • Save credit cards (tokens) for reuse
  • Add, edit, and delete saved payment data
  • Edit orders and reorder, without having to ask the customer for CC info again
  • Authorize, Capture, or Save CC Info (without charging) at time of checkout
  • Capture funds even after the authorization expires
  • Partially invoice orders (including reauthorization on partial invoice)
  • Partially refund (online credit memo)
  • Send shipping address and line items to Authorize.Net
  • Require CCV code when adding a card, or with every purchase
  • Validate billing address with Address Verification (AVS)
  • Protect against fraud with Advanced Fraud Detection Suite (AFDS) and hold-for-review
  • Integrate your systems thanks to Magento API support (REST and GraphQL)
  • Use a different Authorize.Net account for each website (multi-store support)
  • Supports ParadoxLabs Adaptive Subscriptions extension

* This extension has built-in support for ACH processing. ACH is configured as its own payment method, and can be enabled or disabled at will. To process ACH payments, you must apply and be accepted by Authorize.Net. For more info, see Authorize.Net's eCheck.Net FAQ.



Stored payment info is good for your business and customers.

  • It simplifies checkout.
  • It encourages customer loyalty.
  • It streamlines order management and integrations.
  • It lets your staff quickly process orders and billing changes, without needing customers to repeat their credit card info.

All frontend features are available in the admin panel. This means admins can view, add, edit, and delete customers' stored cards, and place orders using them.

When editing an order, you can reuse the payment info, even for guest orders.



This is an Authorize.Net Certified Solution since 2013, listed in Authorize.Net's official certified solutions directory. Our payment modules are used on thousands of Magento stores, and our reviews speak for themselves.



All communication with Authorize.Net is performed with TLS encryption, and no confidential cardholder data is ever stored on your own server. A process called tokenization is used to run transactions with stored payment information. This lets your customers pay with a 'saved' card that's not on your server at all.

We also support Authorize.Net's proprietary Accept.js API. Accept.js allows credit card information to be sent straight from your customers' browsers to Authorize.Net, without touching your web server at all. Instead, Authorize.Net gives us a one-time-use token (nonce) that refers to it. Since your web server never sees the raw credit card number, this improves your website's security and reduces your PCI compliance exposure.


PCI Compliant

PCI compliance is a complex and multifaceted issue, covering every aspect of your business. We can't guarantee that your business is PCI-compliant. That depends on your server, policies, processes, regular security scans, other payment methods offered, and a lot more. What we can tell you is that this extension will not prevent you from being PCI compliant. We don't store or log confidential cardholder data, or do anything else that would bring you under scrutiny.

The exact PCI scope of this extension depends on your configuration.

  • If you enable Accept.js, using this payment method for all credit card transactions may make you eligible for PCI Self-Assessment Questionnaire (SAQ) A-EP.
  • If you do not enable Accept.js, this payment method falls under the scope of PCI SAQ D.

For details on the SAQ types and what eligibility means, see "Self-Assessment Questionnaire Instructions and Guidelines (3.2)" (PDF, by PCI Standards Security Council).



Progressive Web Apps are the future, and we're ready for them.

This extension fully supports GraphQL and guest/customer REST APIs, allowing you to build out checkout and customer card management interfaces within your PWA, mobile app, or other 'headless' architecture.

GraphQL requires Magento 2.3.1 or newer.

Complete API documentation is available in our user manual.



The user manual covers:

  • Installation
  • Configuration
  • Features and usage
  • Common questions and issues
  • Technical info

View: Authorize.Net CIM User Manual (PDF)



We are experienced, certified Magento developers. All of our code is clean, well-documented, and follows all Magento standards and techniques. We make sure to do things the right way.

Our source code is 100% unencoded (viewable source). When you purchase this extension, you get full access to view and modify it any way you need to (within the license terms).

ParadoxLabs is a proud Magento Solution Partner and member of ExtDN.org, the Extension Developers Network.



 We pride ourselves on excellent support. Your purchase includes one year of complimentary extension support, plus free bug fixes and updates for the lifetime of this extension. If you find that it doesn't work as we intended in a standard installation, we'll help you fix that.

ParadoxLabs has been building and maintaining Magento payment integrations for years. Our integrations process billions of dollars in transactions a year for thousands of stores like yours, and our support is top-notch. Our solutions work for others—they can work for you too.

Our staff are all located in the United States, with an office in downtown Lancaster, PA, open weekdays from 8 AM to 5 PM Eastern Time. Have a question, or want to try it out? Give us a call at 717-431-3330, or email us at sales@paradoxlabs.com.


Release Notes

Back to top


  • Compatible with Open Source (CE) : 2.1 2.2 2.3
  • Compatible with Commerce using on prem (EE) : 2.1 2.2 2.3
  • Stability: Stable Build
  • Description:

    - Fixed 'enter' submitting checkout despite disabled button.
    - Fixed a PHP error on order view with Klarna enabled on Magento 2.3.
    - Fixed checkout validation issues and related conflicts with some custom checkouts.
    - Fixed CVV tooltip on Magento 2.3 checkout.
    - Fixed fraud update for expired transactions.
    - Fixed potential errors on legacy CIM card import when processing incomplete records.


  • Compatible with Open Source (CE) : 2.1 2.2 2.3
  • Compatible with Commerce using on prem (EE) : 2.1 2.2 2.3
  • Stability: Stable Build
  • Description:

    - Fixed admin order form validation issues.
    - Fixed admin order submit buttons staying disabled when switching to the 'free' payment method.
    - Fixed deprecated md5_hash references.
    - Fixed error on settings page when changed_paths is missing on older M2 versions.
    - Fixed form validation when CVV is disabled.
    - Fixed fraud update processing of declined transactions.
    - Fixed gateway syncing on REST card create/update.
    - Fixed quality issues for latest Magento coding standards.
    - Fixed unescaped output on configuration page.


  • Compatible with Open Source (CE) : 2.1 2.2 2.3
  • Compatible with Commerce using on prem (EE) : 2.1 2.2 2.3
  • Stability: Stable Build
  • Description:

    - Added Accept.js test to admin configuration.
    - Added CC type detection to all payment forms.
    - Added GraphQL API support for customer card management.
    - Added protection to frontend checkout to help prevent abuse. (Will now block after numerous failures.)
    - Added REST API support for guest and customer card management.
    - Improved (completely overhauled) form processing and validation.
    - Improved codebase by moving common code from gateways into the TokenBase library.
    - Fixed ACH JS error on frontend card management.
    - Fixed errors pulling the wrong message from API response data in certain cases.
    - Fixed handling of duplicate cards within database records.
    - Fixed partially-missing server-side payment validation on account payment save.
    - Fixed possible errors on legacy card import for CIM stored cards with no country or state.
    - Fixed possible unresolvable errors with invalid profile IDs after changing gateway accounts.
    - Fixed server-side CC validator in the absence of Accept.js data.


  • Compatible with Open Source (CE) : 2.1 2.2 2.3
  • Compatible with Commerce using on prem (EE) : 2.1 2.2 2.3
  • Stability: Stable Build
  • Description:

    - Fixed missing billing address on expired transaction recaptures.
    - Fixed template loading on composer installs.


  • Compatible with Open Source (CE) : 2.1 2.2 2.3
  • Compatible with Commerce using on prem (EE) : 2.1 2.2 2.3
  • Stability: Stable Build
  • Description:

    - Updated composer dependency versions for Magento 2.3.
    - Fixed Magento 2.3 compatibility issue in upgrade script.


  • Compatible with Open Source (CE) : 2.0 2.1 2.2
  • Compatible with Commerce using on prem (EE) : 2.0 2.1 2.2
  • Stability: Beta Build
  • Description:

    - Added CC number input formatting.
    - Fixed AFDS 'do not authorize, hold for review' response handling.
    - Fixed API delete not reaching payment gateway.
    - Fixed partial invoicing with reauthorization disabled.


  • Compatible with Open Source (CE) : 2.0 2.1 2.2
  • Compatible with Commerce using on prem (EE) : 2.0 2.1 2.2
  • Stability: Stable Build
  • Description:

    - Updated Authorize.Net certificate authorities for changed sandbox SSL.
    - Fixed incorrect OrderCommand argument with 'save info' payment action.
    - Fixed non-digit characters throwing off last4 numbers on checkout submit with Accept.js.
    - Fixed possible API error with empty or extended-characters-only product names.
    - Fixed possible VirtualType compilation errors.
    - Fixed required indicator when phone number is set to not required.


  • Compatible with Open Source (CE) : 2.0 2.1 2.2
  • Compatible with Commerce using on prem (EE) : 2.0 2.1 2.2
  • Stability: Stable Build
  • Description:

    - Added support for $0 checkout.
    - Improved currency handling.
    - Improved handling of expiration date when loading cards from CIM.
    - Improved performance of Manage Cards with many cards and orders (thanks Steve).
    - Fixed 'Auto-select' setting on default checkout.
    - Fixed 'Verify SSL' setting on Magento 2.1.9+.
    - Fixed Accept.js nonce handling on payment step AJAX reload.
    - Fixed field validation stripping dashes from addresses.
    - Fixed logging issues in Magento 2.2.
    - Fixed order status handling on 'save' payment action and some other edge cases.
    - Fixed possible card update error with Accept.js in limited circumstances.
    - Fixed possible unserialize address errors on 4.0 upgrade.
    - Fixed possible validation JS errors on CC forms.
    - Fixed shipping address not being sent on reauthorization transactions.
    - Fixed stored card association on post-register checkout.
    - Fixed stored card validation with no expiration date given.
    - Changed param type of setMethodInstance() in ParadoxLabs\TokenBase\Api\Data\CardInterface.


  • Compatible with Open Source (CE) : 2.0 2.1 2.2
  • Compatible with Commerce using on prem (EE) : 2.0 2.1 2.2
  • Stability: Stable Build
  • Description:

    - Compatibility fixes for Magento 2.2.
    - Improved API support, particularly for card create/update.
    - Changed DI proxy argument handling for Magento 2.2 compatibility.
    - Changed order status handling for Magento 2.2 compatibility.
    - Changed payment command classnames for PHP 7.1 compatibility.
    - Fixed admin card 'delete' button deleting rather than queuing deletion.
    - Fixed checkout edge case with valid token not being cleared after an Accept.js validation error.
    - Fixed ExtensionAttribute implementation on Card model.
    - Fixed possible PHP error on admin order create in compiled multi-store environments.
    - Fixed possible static content deploy issues with template comments.
    - Fixed REST API permission handling.
    - Fixed restricted order statuses being selectable as payment method 'New Order Status'.

    This release adds support for Magento 2.2. It is still compatible with Magento 2.0 and 2.1, but there are some notable code changes from earlier releases. If you have customizations around the extension, these may be significant:
    - Added getAdditionalObject() to ParadoxLabs\TokenBase\Api\Data\CardInterface.
    - Added saveExtended() to ParadoxLabs\TokenBase\Api\CardRepositoryInterface.
    - Added CardAdditionalInterface support to ParadoxLabs\TokenBase\Model\Card::setAdditional().
    - Changed argument type of ParadoxLabs\TokenBase\Api\Data\CardInterface::setExtensionAttributes().
    - Changed paradoxlabs_stored_card 'address' and 'additional' fields from serialized to JSON.
    - Changed Proxy constructor arguments throughout module to inject Proxy via DI configuration.
    - Removed Unserialize constructor argument from ParadoxLabs\TokenBase\Model\Card\Context.


  • Compatible with Open Source (CE) : 2.0 2.1
  • Compatible with Commerce using on prem (EE) : 2.0 2.1
  • Stability: Stable Build
  • Description:

    Added browser CC autofill attributes to form fields.
    Added protection to frontend My Payment Data page to help prevent abuse. (Will now require order history to use, and block after numerous failures.)
    Added settings check for corrupted API credentials.
    Added split database support
    Fixed Accept.js error with CCV disabled.
    Fixed Accept.js load error with JS minify enabled.
    Fixed error on databaseless code generation.
    Fixed potential checkout error loop with Accept.js enabled and an invalid customerProfileId.
    Fixed potential error on reauthorization.
    Fixed validation error on admin checkout with new card.


  • Compatible with Open Source (CE) : 2.0 2.1
  • Compatible with Commerce using on prem (EE) : 2.0 2.1
  • Stability: Stable Build
  • Description:

    Fixed a possible PHP error on card edit.
    Fixed Accept.js not rebinding properly, causing issues on some custom checkouts.
    Fixed admin fraud update button (workaround for a core bug).
    Fixed CCV validation for stored cards with 'Require CCV' enabled.
    Fixed compatibility with Magento Cloud Edition.
    Fixed config scope issue when checking active payment methods in admin.
    Fixed leading-zero issues on CCV input.
    Fixed multishipping checkout when adding a new card with Accept.js enabled.
    Fixed order status being overwritten after invoicing an order.
    Fixed our custom attributes being visible on customer edit form.
    Fixed payment models being shared when running multiple transactions in a single request.
    Fixed possible PHP error on checkout failure.
    Fixed possible PHP error when using specific countries setting.
    Fixed potential checkout JS errors if Accept.js is not configured/enabled.


Back to top
The best place to start if you need help with a specific extension is to contact the developer. All Magento developers have both a contact email and a support email listed.

Q & A

Back to top


Back to top