My project requires authorizing a credit card for up to the maximum amount of days that Authorize.net allows, and then capturing the payment asynchronously upon approval and invoice from our client.
Right now, I'm currently leveraging AcceptJS UI's Hosted Payment Form for its compliance with PCI-DSS SAQ A, and purposefully avoiding the burden of complying with it if we made the form ourselves.
From what I understand based on the documentation, AcceptJS's authorizes the credit card and can only capture within 15 minutes upon receiving the payment nonce.
Therefore, am I right to assume the following:
1) AcceptJS must capture within 15 minutes of the payment nonce. Anything outside the range, the customer would need to input their credit card again within our application utilizing AcceptJS.
2) Without AcceptJS, I need to build a credit card form that communicates with Authorize.net's API (https://developer.authorize.net/api/reference/index.html#payment-transactions-authorize-a-credit-car...), and make sure that we build the infrastructure to be PCI-DSS SAQ A-EP compliant?
I hope that all made sense.
Many thanks in advance!