topic Re: CIM - Get a list of Customer Payment Profiles WITHOUT full PAN? in Integration and Testing

CIM - Get a list of Customer Payment Profiles WITHOUT full PAN?

coppercup — Wed, 28 Oct 2015 22:22:28 GMT

Question:

Is it possible to retrieve/get a simple list of Customer Payment Profiles via the CIM API that does not include the full PAN (primary account number)?

Background:

We're trying to devise ways to replace a traditional CIM/AIM/ARB integrations, which is now within PCI DDS A-EP scope, with a PCI-A-compliant methodology.

In particular, we have a site that lists Customer Payment Profiles in the site's customer account and also during the checkout payment step so that the customer can elect to edit, delete or pay with an existing payment profile. The list of payment profiles includes only the card type and the last four of the CC to help identify it for the customer.

It looks like we can create payment profiles without ever touching sensitive cardholder data (full PAN) either from an existing transaction or using the hosted CIM form. We can edit a payment profile using the hosted CIM form. We can charge an existing payment profile with only the profile ID.

However, I don't see a way to get/list a customer's available payment profiles without a CIM response that DOES contain the full PAN (and more sensitive cardholder data).

PS - My understanding is that "acceptable" truncated formats of the CC are outside of the PCI compliance scope: (https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-are-acceptable-formats-for-truncation-of-primary-account-numbers and https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-merchants-allowed-to-request-card-verification-codes-values-from-cardholders).

Thanks!

Fritz

Re: CIM - Get a list of Customer Payment Profiles WITHOUT full PAN?

RichardH — Thu, 29 Oct 2015 01:00:26 GMT

Hello @coppercup

Authorize.Net never returns any sensitive information including the PAN as part of an API response. You can see a full response including masked card numbers in the API Reference: https://developer.authorize.net/api/reference/index.html#customer-profiles-get-customer-payment-profile

Richard

Re: CIM - Get a list of Customer Payment Profiles WITHOUT full PAN?

coppercup — Thu, 29 Oct 2015 13:52:04 GMT

Thanks for your quick response Richard. Much appreciated!

I'm glad to hear it and not sure how I missed that. I looked at the getCustomerPaymentProfileRequest response in the reference several times, but somehow missed the part about the output being masked, even though that was exactly what I was looking for!

Since I initially need a list of a customer's payment profiles, I was mostly looking at the getCustomerProfileRequest method, https://developer.authorize.net/api/reference/index.html#customer-profiles-get-customer-profile, since it returns all of a customer's payment profiles, but he online API reference only says that the creditcard portion of the response "Contains credit card payment information for the customer profile", so I was uncertain. I might be helpful if the description of that output in the API reference could be clarified.

Also, I don't ever recall coming across anything in any documentation indicating that "Authorize.Net never returns any sensitive information including the PAN as part of an API response." That could be a helpful addition to the Responses sections of each of the API documentations and references.

Thanks again! Fritz