Hi Richard,
Thanks for your reply (I'm new to this forum).
To expand, the app I write/support utilizes CIM for storing customer profiles and we utilize the stored profiles in order to bill our customers for subscriptions on a recurring basis and to charge customers during checkout from our shopping cart. This is just one element of our business.
The other element to our business are big/major events where we have computers setup to take orders and either utilize our customer's payment profile or allow them to swipe their credit card on checkout. So this element of the application is a point of sales (POS) system. Lately, I put a good deal of effort into the POS portion of our application in order to make the process more seemless for our customers and the "cashiers". We do not currently use encrypted readers, but I have worked with cryptography extensively, so I have a good idea as to how this type of thing should work (public key to encrypt and only the owner of the private key can decrypt).
I am using the CIM APIs in both cases and I really like the CIM APIs.
Now, I am in the middle of doing a PCI review and contemplating taking any sort of unencrypted data flow of cardholder data out of our application. So for the non-POS portion of our application, "hosted CIM" is looking like an encredible solution (awesome!).
However, I had to consider POS as well, since it is a major part of the customer's business (big events). So I took a look at auth.net's VPOS solution and was under-welmed (to say the least).
So I have to say (at this point) I am not very familiar with encrypted readers (yet), but here is how I would like the POS process to work. I call a CIM API to retrieve a public key from auth.net. I then install the public key on the encrypting card reader. Subsequently, when a POS "customer" swipes their card the reader encrypts the cardholder data with auth.net's public key. I then call the CIM API in order to store the cardholder data with CIM or just to make a one time charge with the card. Since auth.net is in possession of the private key, auth.net is the only one that can decrypt the cardholder data. The data is encrypted as it passes through our application, which makes PCI compliance much simpler.
CIM supporting this scenario would simplify my life tremendously and I would totally be willing to work with the CIM dev team in order to see this accomplished.
Please help!
Thanks,
Martin