09-28-2012 06:56 AM
I'm the developer for a desktop software application uses the SIM method/Hosted Payment Form to process payments through Authorize.net. In the past, many of our customers have used a standard (non-encrypted) magnetic card swipe reader in conjunction with the SIM Hosted Payment Form to input the cardholder data.
Recently, however, there's been some concern over whether this is PCI Compliant, and if they should be using a reader that supports point-to-point encryption. I know that MagTek has a reader on the market that works with Authorize.net, and I understand that using the encrypted reader is probably a better, more secure solution, but my question is this--is using a standard, un-encrypted reader with a Hosted Payment Form still permissable under the PCI DSS? Since using a standard card reader (which basically emulates keyboard input) is really no different than keying in the card number with the keyboard (and that's still permissable--right?), I don't see why it wouldn't be.
10-01-2012 12:26 PM
The Server Integration Method (SIM) is used to present a payment form to the customer so that they can key in their card information for a Card Not Present (CNP) transaction. This method is not to be used with any kind of card reader, as that would, by definition, be a Card Present (CP) transaction.
CNP and CP transactions are handled completely differently by card processors and require differently configured Authorize.Net accounts. Authorize.Net provides a separately documented CP API which allows you to read and submit track data that you have gathered with a card reader. At this time, we do not yet support encrypted card readers through any of our APIs.