Posts: 3
Registered: ‎04-04-2013
Accepted Solution
Trying to avoid PCI Requirements by using CIM

I'm trying to avoid having to comply with PCI requirements.


There are 3 main requirements my application must have to process payments:


 Requirement 1: Site (including Payment pages) must support multiple languages

  - I believe this rules out any hosted forms since it appears Authorize.Net forms appear to be English only


Requirement 2: CC information CANNOT be stored in Memory on our Servers (nor in our Database)

 - DPM works well here it seems as the data is directly POSTed to

 - Using XML or SOAP requires the data to first be sent to our Servers so the CC info is in our memory

     (Using JavaScript to call the Authorize.Net's WebService can't be done because of the TransactionKey and API Login ID would be in plain sight) Trying to avoid PCI Requirements by using CIM


Requirement 3: Multiple Authorizations / Captures must occur from originally transmitted CC information

  - We have backorders...

  - Authorizations occur when order is first placed (assuming stock in available), otherwise just the CC info is validated and stored

  - When items are available, the order ships.  At that point a capture (PRIOR AUTH CAPTURE) occurs for the amount shipped.  Any unshipped items could potentially be authorized again to then be captured when they shipped.  Depending on business logic and inventory items an order could be initially placed and authorized, or placed and not authorized.  Then at shipment, the entire amount could be captured or a partial amount.  When a partial amount is captured another authorization could occur to then be captured later ... which could cause another authorization if there were still items that didn't ship, etc.

  - If we didn't have backorders, we could just use DPM


What is described in the following post is what I'm after:


I want to be able to do a CreateCustomerProfile through a POST and a CreateCustomerPaymentProfile through a POST with an option to do an Authorization.  Then later, I want to reference the customerPaymentProfileId to do Capture and could also do another Auth immediately with the customerPaymentProfileId.


CIM allows for all of these requirements to be met except requirement 2 (not stored in memory).  Since PCI requirements have changed, we can no longer store the information in our server's memory.  The only way to do this is by directly POSTing to Authorize.Net because as soon as we POST back to our server to then call the CIM WebService we are required to be PCI compliant and we are trying to avoid the cost of keeping that up.  This is why we were contemplating switching over from a competitor to using Authorize.Net.


Am I missing something?  Is there a way to accomplish what I'm after with all of the requirements being met?


If there is no way to do this, is there anyone at Authorize.Net that could confirm or deny that anything is in the works that would allow the above requirements to be met?


Thanks for your time and sorry for the lengthy post.



Who Me Too'd this topic