Reply
Highlighted
Contributor
Posts: 37
Registered: ‎05-09-2011

precautionary measures for handling SIM relay response

Does anyone know the precautionary measures i need to handle the relay resonse from SIM?

 

Do i need an SSL certificate?

 

Do i need to be able to provide any logs from my server to prove i'm not handling credit card info?

 

How do i find this information out BEFORE my merchant asks me?(in the event they do)

Highlighted
Regular Contributor
Posts: 72
Registered: ‎07-06-2011

Re: precautionary measures for handling SIM relay response

[ Edited ]

If you are not collecting any credit card information on your own site through a form, and are just sending the customer to the payment form on AuthNet, there is no way for you to transmit/store critical credit card information. There are no AuthNet API's that return it to you.

 

The most you can get back for a credit card number is XXXX1234 and never the full number. The only thing you'll get back for the expiration date is XXXX.

 

If your merchant ever asks you about it, just create a page to run a test transaction that actually outputs the full response details on the screen. There you'll be able to demonstrate that no critical credit card information is even available for you to view, store or use in any way. And no, you wont need SSL for it.

 

If the customer fills in all of the CC info on a form you have built on your site, and then you pass that information over to AuthNet, then you would need SSL just to transfer the information from your server to AuthNet. But it doesn't sound like you are doing that so you should have no worries. :) WHeis

Highlighted
Contributor
Posts: 37
Registered: ‎05-09-2011

Re: precautionary measures for handling SIM relay response

Hey WHeisenberg

 

Thanks again for the response. I'm contacting web hosting companies and explaining what i'm doing and they are all saying that since the relay response DOES transmit cardholder data(customer name, billing/shipping address, etc) you must be PCI compliant. 

 

They could be just attempting to sell me PCI compliant hosting, SSL certs, etc., i dunno. I'm looking for a definitive response but everyone i talked to either says "you're probably ok" or "no, you probably need to be PCI compliant". 

 

I'm trying not to base my decisions on "probably" : /