Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Authorize.Net is a US payment gateway owned by Visa that lets merchants accept cards online via Accept.js, Accept Hosted forms and the Customer Information Manager, with built in fraud detection.
Authorize.Net is one of the oldest payment gateways on the internet. Founded in 1996 and acquired by Visa in 2010, it lets merchants accept credit and debit cards, e-checks, digital wallets, and recurring billing. European merchants typically use it when they also sell in the United States, when they integrate with US shopping carts, or when their acquiring bank routes through Visa.
Authorize.Net exposes a REST API plus three integration patterns: Accept.js (client side tokenisation, the merchant never sees the card number), Accept Hosted (a fully hosted payment page on accept.authorize.net), and the Customer Information Manager for stored profiles. Visa''s Advanced Fraud Detection Suite enriches every transaction with rule based and machine learning scores.
When Accept.js loads, it sets first party cookies on its own domain (ASP.NET_SessionId, .ASPXAUTH) to maintain the tokenisation context. Accept Hosted runs on accept.authorize.net and sets additional cookies for fraud and session continuity. Authorize.Net processes the card number (or its token), expiry date, CVV, billing address, IP, user agent, and the device fingerprint used by the fraud engine.
Cookies set strictly to render the payment form and complete the purchase are considered strictly necessary under Article 5(3) ePrivacy and do not require consent. Fraud and analytics cookies that go beyond that scope do require consent. The processing of payment data has multiple legal bases stacked: contract performance for the payment itself, legitimate interest for fraud prevention, and legal obligation for tax and PSD2 obligations.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Authorize.Net runs in the United States. Cardholder and fraud data crosses the Atlantic. Visa, the parent company, is certified under the EU-US Data Privacy Framework and offers Standard Contractual Clauses. A Transfer Impact Assessment should be documented.
Sign the Authorize.Net DPA, document the transfer mechanism, and prefer Accept Hosted or Accept.js to keep your PCI DSS scope as low as SAQ A. Disclose Authorize.Net in your privacy notice, with the categories of data, the US transfer, retention, and rights. Restrict access to the merchant portal and enable 2FA. If you target the EU only, consider a European acquirer (Stripe, Adyen, Mollie) to avoid the transfer altogether.
Websites using Authorize.Net must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA can be useful when Authorize.Net is used to process consumer payments at scale in the EU. Document the data flow (cardholder data, billing address, IP, device fingerprint), the US transfer mechanism, the fraud detection signals, and the retention applied by Visa.
Sample consent text
We use Authorize.Net (operated by Visa) to process card payments. Authorize.Net sets cookies on its domain when its hosted form or Accept.js loads, and transfers payment and fraud data to the United States. The payment form is strictly necessary for the transaction; we still inform you about the international transfer.
Third-party domains contacted
accept.authorize.netapi.authorize.netjstest.authorize.netjs.authorize.netsecure2.authorize.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ASP.NET_SessionId | http_cookie | Session | Session identifier set by Authorize.Net during payment processing, strictly necessary to complete the transaction. |
| .ASPXAUTH | http_cookie | Session | Authentication cookie used by the Authorize.Net merchant portal and Accept Hosted iFrame. |
| token | http_cookie | Session | Short lived payment token cookie used during the Accept Hosted flow to bind the form submission to the merchant transaction. |
| akamai_bot | http_cookie | 30 minutes | Set by the Akamai bot management layer in front of Authorize.Net for fraud and bot prevention. |
Authorize.Net uses cookies for user preferences — inform visitors with a consent banner.
Accept.js and Accept Hosted typically set ASP.NET_SessionId and .ASPXAUTH on the Authorize.Net domain for session continuity. Additional fraud and tokenisation cookies may be set during the payment flow. These cookies are not stored on the merchant domain when using the hosted variants.
Cookies that are strictly necessary to render the payment form and complete the transaction are exempt from consent under Article 5(3) ePrivacy. Fraud or analytics cookies beyond that scope require consent. Inform users about the payment processor and the US transfer.
Contract performance under Article 6(1)(b) GDPR for the payment, legitimate interest under Article 6(1)(f) for fraud prevention, and legal obligation under Article 6(1)(c) for PSD2 strong customer authentication and tax retention.
Yes. Authorize.Net is operated by Visa in the United States. Transfers rely on the EU-US Data Privacy Framework and on Standard Contractual Clauses. A Transfer Impact Assessment is recommended for European merchants.
A DPIA is recommended for high volume consumer payments, especially when combined with the fraud detection suite that profiles users. Document the data flow, the AI fraud model, the retention, and the safeguards for the US transfer.
Use Accept Hosted or Accept.js to limit PCI scope, sign the DPA, configure Strong Customer Authentication for European cards (3D Secure 2), set retention for stored profiles, and disclose Authorize.Net in your privacy notice with the categories and the US transfer mechanism.
For European merchants, consider Stripe, Adyen, Mollie, Worldline, Checkout.com or PayPlug. These providers offer EU acquiring, native SCA support, and clearer EU data residency. Pick based on geography, ticket size, and integration depth.
Add a payment processor section that names Authorize.Net, lists the cookies set during the payment, mentions the US transfer mechanism, the legal bases stacked for payment, fraud, and tax, and links to the Authorize.Net privacy notice.