https://community.developer.cybersource.com/t5/Integration-and-Testing/Card-Swipe-Devices-Hosted-Payment-Forms-amp-PCI-Compliance/m-p/30210#M15814 <P>I'm the developer for a desktop software application uses the SIM method/Hosted Payment Form to process payments through Authorize.net. In the past, many of our customers have used a standard (non-encrypted) magnetic card swipe reader in conjunction with the SIM Hosted Payment Form to input the cardholder data.</P><P>&nbsp;</P><P>Recently, however, there's been some concern over whether this is PCI Compliant, and if they should be using a reader that supports point-to-point encryption. I know that MagTek has a reader on the market that works with Authorize.net, and I understand that using the encrypted reader is probably a better, more secure&nbsp;solution,&nbsp;but my question is this--is using a standard, un-encrypted reader with a Hosted Payment Form still permissable under the PCI DSS? Since using a standard card reader (which basically emulates keyboard input) is really no different than keying in the card number with the keyboard (and that's still permissable--right?), I don't see why it wouldn't be.</P> Fri, 28 Sep 2012 13:56:55 GMT silentsky 2012-09-28T13:56:55Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Card-Swipe-Devices-Hosted-Payment-Forms-amp-PCI-Compliance/m-p/30210#M15814 <P>I'm the developer for a desktop software application uses the SIM method/Hosted Payment Form to process payments through Authorize.net. In the past, many of our customers have used a standard (non-encrypted) magnetic card swipe reader in conjunction with the SIM Hosted Payment Form to input the cardholder data.</P><P>&nbsp;</P><P>Recently, however, there's been some concern over whether this is PCI Compliant, and if they should be using a reader that supports point-to-point encryption. I know that MagTek has a reader on the market that works with Authorize.net, and I understand that using the encrypted reader is probably a better, more secure&nbsp;solution,&nbsp;but my question is this--is using a standard, un-encrypted reader with a Hosted Payment Form still permissable under the PCI DSS? Since using a standard card reader (which basically emulates keyboard input) is really no different than keying in the card number with the keyboard (and that's still permissable--right?), I don't see why it wouldn't be.</P> Fri, 28 Sep 2012 13:56:55 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Card-Swipe-Devices-Hosted-Payment-Forms-amp-PCI-Compliance/m-p/30210#M15814 silentsky 2012-09-28T13:56:55Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Card-Swipe-Devices-Hosted-Payment-Forms-amp-PCI-Compliance/m-p/30332#M15872 <P>The Server Integration Method (SIM) is used to present a payment form to the customer so that they can key in their card information for a Card Not Present (CNP) transaction. This method is not to be used with any kind of card reader, as that would, by definition, be a Card Present (CP) transaction.</P> <P>&nbsp;</P> <P>CNP and CP transactions are handled completely differently by card processors and require differently configured Authorize.Net accounts. Authorize.Net provides a separately documented CP API which allows you to read and submit track data that you have gathered with a card reader. At this time, we do not yet support encrypted card readers through any of our APIs.</P> Mon, 01 Oct 2012 19:26:44 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Card-Swipe-Devices-Hosted-Payment-Forms-amp-PCI-Compliance/m-p/30332#M15872 Trevor 2012-10-01T19:26:44Z