At Univate we have been involved in a number of membership/subscription projects. To achieve we use Ubercart Recurring Payments and Subscriptions (uc_recurring), which is a module that adds recurring payments support to the ubercart ecommerce modules for Drupal. Univate has been involved in actively development of the latest 2.x branch of this module.

The goal of the uc_recuring module is to provide the methods to integrate with any payment gateway that provides a recurring payment feature, it also provide the features to handle recurring payments in ubercart. My opinion is that payment gateways should be maintained by the users that use them. To that end uc_recurring provides a set of hooks/API to allow any payment gateway to expose its own recurring features so the module can use that gateway for processing recurring payments.

But we have a problem, ubercart includes a number of popular gateways that are part of the core ubercart modules. Rather then trying to work on ubercart directly to add all the new feature, particular as we were developing them, we have included the recurring functions for ubercarts core gateways in include files within the uc_recurring project. My preference would be to see the recurring functionality returned to the gateways where they belong so they can be maintained by users that actually use them.

Anyone else building payment gateways should include recurring support into their own module, we have done with the payment gateway we use in Australia - uc_securepayau

One of the common question about this module is why can't we just store credit card details and then use any payment gateway thats been written for ubercart.

There are a couple of issues why this will never become the focus of uc_recurring, but we have actually already partially implemented this. In the test_gateway module provided by ubercart it includes functions for encrypting and storing the details users enter in the database. Which we have used when creating uc_recurring support for test_gateway.

But if you wanted to create this feature, all you need to do is write a payment method to replace uc_credit that implements the uc_recurring features.

The problem with adding this to uc_recurring and getting instant recurring payment support for all payment gateways is almost everyone who asked for this feature does not understand what the security issues are and does not have the technical resources to properly manage information like credit card details.

If you are interested in storing credit card details you should first review the industry standard - PCI DSS, you will see that there are issues you need to consider outside the software you are using, so even if uc_recurring adds the features to encrypt and store credit cards, users still need the technical capabilities to setup their system in accordance to the PCI standards.

We may look at putting together some code to demonstrate how uc_recurring can manage credit card details. But if you pick the right payment gateway there is really no need to store credit card details yourself. With features like CIM in the gateway Authorize.net or the triggered payments in Securepay these gateways can store the credit card details for you, and take over alot of the PCI requirement, so you don't need to worry about it. These gateways still provide the flexibility to charge what every you want when every you want, which is exactly the same as having the credit card details.

Any small cost for these services is far cheaper then paying someone to maintain/audit your system for securities vulnerabilities, not to mention the potential liability if your system is compromised and credit card details are stolen.

Unfortunately not all payment gateways provide the flexibility as these two gateways, other gateways like Paypal or Authorize.net ARB take over the recurring payments and once its setup, you can't alter the subscription. These gateways are still useful, it all depends on your specific requirements.

In conclution its important to understand how your payment gateway works and the features it provides, along with your specific business requirements.