Reply
Member
Posts: 1
Registered: ‎01-20-2012

AIM, DPM or SIM?

Hi,

 

We currently use AIM for our integration on our web-application. We are being asked by our merchant to become PCI compliant, and right now, this means going into PCI-compliance for our web-server. We are reviewing possible ways to eliminate this step.

 

I have come up with a couple of solutions, that I prefer anyone's comments or help with:

 

1. We can still accept CC transactions, but instead of accepting them on our website, we will email a link to the user which will send them to a link on our website or Auth.Net that will use SIM to pay for their total amount.

2. We can have them finish their shopping on our website, and at the end, send them to Auth.Net using a carefully constructed SIM with their invoice #, total ..etc.

 

To me it looks like using SIM may solve the problem. But will create an additional steps for us to verify payment, and for our users to do. This can create confusion and errors.

 

Have anyone had similar issues with their sites? Any suggestions on workarounds?

 

We are a merchant level 4. We have been asked to do SAQ D. We are a small organization, so it is really not the best option for us.

I am trying to move us into an SAQ C, which will be easier and less expensive to implement.

 

I was also looking into DPM, which seems like it might help, but Trustwave (our QSA) says if the form is hosted by us (and we are accepting the card), it will not eliminate PCI compliance for our website.

 

Any help is appreciated. Thanks!

 

We are using ASP.NET

 

Posts: 1,609
Topics: 15
Kudos: 201
Solutions: 121
Registered: ‎06-23-2011

Re: AIM, DPM or SIM?

How do you define eliminate PCI compliance? If your business collects money in any way using a merchant system - even if you forward people off-site to collect that money - then you should still implement basic password security, since anyone who gains access to your hosting can just redirect your customers to a fake form on his site and then collect the credit cards that way. What DPM does do is keep credit card data out of your server's RAM (which by extension also means your virtual memory / hard drive) by having the customer connect directly to Authorize.net. It might appear that your server is collecting credit card information, but you are not "accepting the card", Authorize.net is.

 

Short version - DPM is 100% secure as long as your hosting is inaccessible to non-authorized personnel. And if your hosting is compromised, you're doomed regardless of precautions.