Reply
Member
Posts: 3
Registered: ‎11-14-2014
Accepted Solution

Does non-hosted SIM encrypt card data?

I am using non-hosted CIM .NET API to add credit cards. This is the one part of my app that sends cardholder data out. So my question is, does it send this data out encrypted? My site does have an SSL certificate, but I am concerned about PCI compliance. From what I understand SAC level C is what applies to my circumstance since my app doesn't store cardholder data directly, but it does transmit it only when sending it to CIM using the API they provided.

 

So again, my question is is it encrypted and am I correct in that this requires SAC C compliance? Any help would be grealy appreciated.


Accepted Solutions
Solution
Accepted by topic author JeffSGA007
‎08-21-2015 01:58 AM
Posts: 321
Topics: 5
Kudos: 37
Blog Posts: 5
Ideas: 0
Solutions: 26
Registered: ‎11-09-2011

Re: Does non-hosted SIM encrypt card data?

[ Edited ]

Connecting to a secure server--including https://secure.authorize.net/ as SIM does--includes automatically negotiating TLS.

 

This will ensure the data will be encrypted as it leaves your server for ours.

 

However, it does nothing for the data handling prior to that. So you would want to make sure your application handles the data securely at every point. Even if the data isn't storing it in a database permanently, it's presumed it would be temporarily stored in a variable before posting to us. That could be exploited by a malicious third party.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

View solution in original post


All Replies
Solution
Accepted by topic author JeffSGA007
‎08-21-2015 01:58 AM
Posts: 321
Topics: 5
Kudos: 37
Blog Posts: 5
Ideas: 0
Solutions: 26
Registered: ‎11-09-2011

Re: Does non-hosted SIM encrypt card data?

[ Edited ]

Connecting to a secure server--including https://secure.authorize.net/ as SIM does--includes automatically negotiating TLS.

 

This will ensure the data will be encrypted as it leaves your server for ours.

 

However, it does nothing for the data handling prior to that. So you would want to make sure your application handles the data securely at every point. Even if the data isn't storing it in a database permanently, it's presumed it would be temporarily stored in a variable before posting to us. That could be exploited by a malicious third party.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.