Reply
Highlighted
Member
Posts: 3
Registered: ‎04-04-2013
Accepted Solution

Trying to avoid PCI Requirements by using CIM

I'm trying to avoid having to comply with PCI requirements.

 

There are 3 main requirements my application must have to process payments:

 

 Requirement 1: Site (including Payment pages) must support multiple languages

  - I believe this rules out any hosted forms since it appears Authorize.Net forms appear to be English only

 

Requirement 2: CC information CANNOT be stored in Memory on our Servers (nor in our Database)

 - DPM works well here it seems as the data is directly POSTed to Authorize.net

 - Using XML or SOAP requires the data to first be sent to our Servers so the CC info is in our memory

     (Using JavaScript to call the Authorize.Net's WebService can't be done because of the TransactionKey and API Login ID would be in plain sight) Trying to avoid PCI Requirements by using CIM

 

Requirement 3: Multiple Authorizations / Captures must occur from originally transmitted CC information

  - We have backorders...

  - Authorizations occur when order is first placed (assuming stock in available), otherwise just the CC info is validated and stored

  - When items are available, the order ships.  At that point a capture (PRIOR AUTH CAPTURE) occurs for the amount shipped.  Any unshipped items could potentially be authorized again to then be captured when they shipped.  Depending on business logic and inventory items an order could be initially placed and authorized, or placed and not authorized.  Then at shipment, the entire amount could be captured or a partial amount.  When a partial amount is captured another authorization could occur to then be captured later ... which could cause another authorization if there were still items that didn't ship, etc.

  - If we didn't have backorders, we could just use DPM

 

What is described in the following post is what I'm after:

http://community.developer.authorize.net/t5/Integration-and-Testing/Combine-DPM-and-CIM/m-p/8560#M58...

 

I want to be able to do a CreateCustomerProfile through a POST and a CreateCustomerPaymentProfile through a POST with an option to do an Authorization.  Then later, I want to reference the customerPaymentProfileId to do Capture and could also do another Auth immediately with the customerPaymentProfileId.

 

CIM allows for all of these requirements to be met except requirement 2 (not stored in memory).  Since PCI requirements have changed, we can no longer store the information in our server's memory.  The only way to do this is by directly POSTing to Authorize.Net because as soon as we POST back to our server to then call the CIM WebService we are required to be PCI compliant and we are trying to avoid the cost of keeping that up.  This is why we were contemplating switching over from a competitor to using Authorize.Net.

 

Am I missing something?  Is there a way to accomplish what I'm after with all of the requirements being met?

 

If there is no way to do this, is there anyone at Authorize.Net that could confirm or deny that anything is in the works that would allow the above requirements to be met?

 

Thanks for your time and sorry for the lengthy post.

 

Chad


Accepted Solutions
Highlighted
Solution
Accepted by topic author kewlniss
‎08-21-2015 01:58 AM
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Trying to avoid PCI Requirements by using CIM

Take a look at cybersource.com

View solution in original post

Highlighted
Solution
Accepted by topic author kewlniss
‎08-21-2015 01:58 AM
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Trying to avoid PCI Requirements by using CIM

It look to me this is doing what CIM is doing http://www.cybersource.com/developers/learn/cybersource_services/payment_security/

 

But didn't have any experience with it.

 

View solution in original post


All Replies
Highlighted
Solution
Accepted by topic author kewlniss
‎08-21-2015 01:58 AM
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Trying to avoid PCI Requirements by using CIM

Take a look at cybersource.com

Highlighted
Member
Posts: 3
Registered: ‎04-04-2013

Re: Trying to avoid PCI Requirements by using CIM

Thanks for your response.  I've been looking at Cybersource.com today and don't see anything that they offer that compares to CIM.

 

Highlighted
Solution
Accepted by topic author kewlniss
‎08-21-2015 01:58 AM
Expert
Posts: 4,525
Registered: ‎03-08-2010

Re: Trying to avoid PCI Requirements by using CIM

It look to me this is doing what CIM is doing http://www.cybersource.com/developers/learn/cybersource_services/payment_security/

 

But didn't have any experience with it.

 

Highlighted
Member
Posts: 3
Registered: ‎04-04-2013

Re: Trying to avoid PCI Requirements by using CIM

Thanks!  After looking at this for quite a while I believe it is exactly what I needed.  Thanks again!