cancel
Showing results for 
Search instead for 
Did you mean: 

AIM, DPM or SIM?

Hi,

 

We currently use AIM for our integration on our web-application. We are being asked by our merchant to become PCI compliant, and right now, this means going into PCI-compliance for our web-server. We are reviewing possible ways to eliminate this step.

 

I have come up with a couple of solutions, that I prefer anyone's comments or help with:

 

1. We can still accept CC transactions, but instead of accepting them on our website, we will email a link to the user which will send them to a link on our website or Auth.Net that will use SIM to pay for their total amount.

2. We can have them finish their shopping on our website, and at the end, send them to Auth.Net using a carefully constructed SIM with their invoice #, total ..etc.

 

To me it looks like using SIM may solve the problem. But will create an additional steps for us to verify payment, and for our users to do. This can create confusion and errors.

 

Have anyone had similar issues with their sites? Any suggestions on workarounds?

 

We are a merchant level 4. We have been asked to do SAQ D. We are a small organization, so it is really not the best option for us.

I am trying to move us into an SAQ C, which will be easier and less expensive to implement.

 

I was also looking into DPM, which seems like it might help, but Trustwave (our QSA) says if the form is hosted by us (and we are accepting the card), it will not eliminate PCI compliance for our website.

 

Any help is appreciated. Thanks!

 

We are using ASP.NET

 

 

dp786
Member
2 REPLIES 2

"To me it looks like using SIM may solve the problem.

But will create an additional steps for us to verify payment, and for our users to do."

 

I agreed with that assessment, regarding the additional steps, based on the "How it works" diagram here: http://developer.authorize.net/api/howitworks/sim

 

However I think that diagram is incomplete. The documentation describes how SIM can support a relay response URL whereby the gateway does not supply a receipt page directly to the user. Instead it sends the transaction results to the merchant server and the merchant server replies with the receipt page.

 

Look here: http://www.authorize.net/support/SIM_guide.pdf

 

Right now that looks like our best option given that DPM is likely not to reduce the scope of PCI compliance, IMHO.

 

 

calvin
Member

I'm in the same boat -- we are likely forced to be SAQ-C -- which one of these is better for accepting donations??

 

Thank you, Tom