CONVIO CONFIDENTAIL
2. User Profile
It is recommended that any custom objects, fields or attributes that are created within Convio to
support your integration, that the internal references are uniquely named so as not to have
namespace conflicts with potentially other client customizations before or after your integration
is enabled.
After a user registers on either site and the registration is propagated to the other site, the details
of the user‟s profile information (name, address, email, etc.) that are common to both sites
should be the same on both sites.
When a user updates common profile information (name, address, email, phone, etc.) on either
site, the change should automatically propagate to the other site.
3. Group and Interest Assignment and Synchronization
If your integration will synchronize Convio groups or interests to another application or interface
outside of Convio, it is recommended that you pair both the name of the interest or group along
with the numerical value when displaying for users. So it is more intuitive to see “outdoor
interest (1025)” vs. just “1025”.
Convio‟s Open APIs are more restrictive when assigning a user to a group id vs. interest id,
because site security is affected by internal group membership. Groups that are tied to interests
have no effect on site security permissions and access for an individual. When using the
Constituent API, you cannot use the client version (CRConsAPI) to make an anonymous update
to add a constituent to a group via the add_group_ids parameter. You must instead use the server
version (SRConsAPI) from a white-listed server IP address along with valid API admin user
credentials. Adding or updating opt-in interests via add_interest_ids is supported via
CRConsAPI and is not as constrained for use compared to add_group_ids.
4. Donations
PCI-DSS Compliance
Convio‟s payment processing system is PCI-DSS certified. Partner‟s implementation of any
donation or payment processed by Convio must provide a direct, secure connection from the
cardholder‟s browser to Convio. It must not collect, store, proxy, or transmit sensitive cardholder
information through any other system or network.
Specifically the donations API data must be sent directly to Convio - the form action must be
https://secure2.convio.net/organization/site/CRDonationAPI, not, for example, to a script or page
such as donate.php which then makes a server-side request to the API and parses the resulting
XML. You'll need to use redirect URLs (see
http://open.convio.com/api/#main.using_redirect_parameters.html) to handle the response.