topic Re: Indirect Post using DPM and PCI Compliance in Integration and Testing

Indirect Post using DPM and PCI Compliance

jonathanwood — Mon, 02 Apr 2012 14:48:30 GMT

If I use the DPM API, but instead of posting back directly to the Authorize.NET server, I post back to my own server and then relay the post to the Authorize.NET server, is this breaking PCI compliance?

Note that I'm not storying the info anyway. I'm just posting it behind the scenes to prevent the user's browser from bouncing around.

Thanks.

Re: Indirect Post using DPM and PCI Compliance

RaynorC1emen7 — Mon, 02 Apr 2012 18:19:04 GMT

What you describe is AIM. Is not the it breaking PCI compliance, all API have some level of PCI compliance.

Re: Indirect Post using DPM and PCI Compliance

jonathanwood — Mon, 02 Apr 2012 19:55:58 GMT

Thanks for the reply but I'm a little unsure about your response.

I am using the DPM API. But the intent of that API is that the page is posted directly to the Authorize.NET server.

What I'm doing instead is using AJAX to post it back to my own server, and my server then simulates a post to the Authorize.NET server.

If I store the credit card number in my database, then I must be PCI compliant. But if I simply route it through my server this way, without storing it to permanent storage, then I want to make sure PCI compliance is not required.

Thanks.

Re: Indirect Post using DPM and PCI Compliance

RaynorC1emen7 — Mon, 02 Apr 2012 20:08:22 GMT

If you look at the documentation. They are all(DPM, SIM, AIM) point to the same URL https://secure.authorize.net/gateway/transact.dll or https://test.authorize.net/gateway/transact.dll.

The different it how they work.Look at the "See how it works" pic on all three, and you will see.

If CC info going to your server is AIM. Doesn't matter if you save it or not.

Michelle have a blog on it PCI and You