Reply
Highlighted
Member
Posts: 2
Registered: ‎08-11-2015

Can CIM be used with my own form without sending CC info to merchant?

[ Edited ]

My requirements are such that PCI compliance should be avoided and thus CC info should only interact with the client and Auth.net's servers and the payment form should be hosted entirely on our website.

 

Customers should be able to store payment information without reentering it, however, we'd like to use our own website and form instead of going with the CIM hosted forms option.

 

Is there an option that will let us use our own form without sending CC info to the merchant and storing customer information?

Highlighted
Posts: 2,765
Topics: 57
Kudos: 247
Blog Posts: 67
Registered: ‎12-05-2011

Re: Can CIM be used with my own form without sending CC info to merchant?

Hello @AlexH

 

As a reminder, the merchant is must always be PCI DSS compliant.  However, using different tools like hosted forms can help reduce their PCI scope.

 

If you are using your own form, then your server must be PCI compliance since sensitive card data will travel through your server and to Authorize.Net.  When you use a hosted form, the form is displayed on the user's browser and data is sent directly to Authorize.Net bypassing your server.

 

Richard

Highlighted
Member
Posts: 2
Registered: ‎08-11-2015

Re: Can CIM be used with my own form without sending CC info to merchant?

[ Edited ]
Hey Richard, appreciate the response.

@RichardH wrote:

 

As a reminder, the merchant is must always be PCI DSS compliant.  However, using different tools like hosted forms can help reduce their PCI scope.


Right, I should have said minimal PCI compliance. The merchant is currently fully PCI compliant and is looking for another solution.


@RichardH wrote:

 

If you are using your own form, then your server must be PCI compliance since sensitive card data will travel through your server and to Authorize.Net.  


There was a previous project we had worked on where a thirdparty payment platform offered a solution similar to what I described. I believe they sent a temporary customer specific pin to the client browser that was used to generate a hash/key and then the client used that to communicate with the payment platform. The payment platform would then create the customer payment profiles etc and then send the customer Id back to the client which would then be passed to the server and stored. Payments were processed on the server using the merchant API key and the customer id + payment id. Apparently this circumvented full PCI compliance because raw CC info wasn't being stored on the server.

 

I was wondering if there would be a way to acomplish this with Auth.net. Seems like you're saying there isn't, just double checking.