We have a new requirement to allow an integrator to pass us a credit card number as part of a transaction. Even though we won't store the cardholder data, other than in memory, there doesn't seem to be any intuitive way to do this without ending up in the dreaded PCI SAQ D category since they are calling our API.
Any ideas?
Thanks,
E
08-22-2017 04:46 PM
Accept.js is well suited and designed for replacing payment information with a nonce that can be used in standard API calls. You can even retrieve said nonce server-side without using Javascript, an example for doing so is located at https://community.developer.authorize.net/t5/Ideas/Test-Opaque-Token/idc-p/59455#M452 or you could have them send their credit card information via an Accept Hosted form.
Either of these options would significantly reduce your PCI requirements.
08-23-2017 02:05 AM
The example source you linked here and the function of Accept.js both appear to do the same thing - submit card data directly to Authorize.NET and return a token to be used later. Is there anything about how the PHP SDK functions that would not reduce requirements the same way that using Accept.js would? We currently submit credit card information to Authorize.NET by way of generating payment profiles immediately when card data is submitted to our server. We then only store the resulting ID in our system.
I see how Accept.js would skip any interaction with our server directly since it runs on the client, but we need to be able to accept card data programmatically on the server side which means client-side solutions won't work here.
Any suggestions? Much appreciated!
08-31-2017 11:12 AM