cancel
Showing results for 
Search instead for 
Did you mean: 

CIM - Get a list of Customer Payment Profiles WITHOUT full PAN?

Question:

Is it possible to retrieve/get a simple list of Customer Payment Profiles via the CIM API that does not include the full PAN (primary account number)?

 

Background:

We're trying to devise ways to replace a traditional CIM/AIM/ARB integrations, which is now within PCI DDS A-EP scope, with a PCI-A-compliant methodology.

 

In particular, we have a site that lists Customer Payment Profiles in the site's customer account and also during the checkout payment step so that the customer can elect to edit, delete or pay with an existing payment profile. The list of payment profiles includes only the card type and the last four of the CC to help identify it for the customer.

 

It looks like we can create payment profiles without ever touching sensitive cardholder data (full PAN) either from an existing transaction or using the hosted CIM form. We can edit a payment profile using the hosted CIM form. We can charge an existing payment profile with only the profile ID.

 

However, I don't see a way to get/list a customer's available payment profiles without a CIM response that DOES contain the full PAN (and more sensitive cardholder data).

 

PS - My understanding is that "acceptable" truncated formats of the CC are outside of the PCI compliance scope: (https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-are-acceptable-formats-f... and https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-merchants-allowed-to-requ...).

 

Thanks!

Fritz

coppercup
Regular Contributor
2 ACCEPTED SOLUTIONS

Accepted Solutions

Hello @coppercup

 

Authorize.Net never returns any sensitive information including the PAN as part of an API response. You can see a full response including masked card numbers in the API Reference:  https://developer.authorize.net/api/reference/index.html#customer-profiles-get-customer-payment-prof...

 

Richard

 

 

View solution in original post

RichardH
Administrator Administrator
Administrator

Thanks for your quick response Richard. Much appreciated!

 

I'm glad to hear it and not sure how I missed that. I looked at the getCustomerPaymentProfileRequest response in the reference several times, but somehow missed the part about the output being masked, even though that was exactly what I was looking for!

 

Since I initially need a list of a customer's payment profiles, I was mostly looking at the getCustomerProfileRequest method, https://developer.authorize.net/api/reference/index.html#customer-profiles-get-customer-profile, since it returns all of a customer's payment profiles, but he online API reference only says that the creditcard portion of the response "Contains credit card payment information for the customer profile", so I was uncertain. I might be helpful if the description of that output in the API reference could be clarified.

 

Also, I don't ever recall coming across anything in any documentation indicating that "Authorize.Net never returns any sensitive information including the PAN as part of an API response." That could be a helpful addition to the Responses sections of each of the API documentations and references.

 

Thanks again! Fritz

 

 

View solution in original post

coppercup
Regular Contributor
2 REPLIES 2

Hello @coppercup

 

Authorize.Net never returns any sensitive information including the PAN as part of an API response. You can see a full response including masked card numbers in the API Reference:  https://developer.authorize.net/api/reference/index.html#customer-profiles-get-customer-payment-prof...

 

Richard

 

 

RichardH
Administrator Administrator
Administrator

Thanks for your quick response Richard. Much appreciated!

 

I'm glad to hear it and not sure how I missed that. I looked at the getCustomerPaymentProfileRequest response in the reference several times, but somehow missed the part about the output being masked, even though that was exactly what I was looking for!

 

Since I initially need a list of a customer's payment profiles, I was mostly looking at the getCustomerProfileRequest method, https://developer.authorize.net/api/reference/index.html#customer-profiles-get-customer-profile, since it returns all of a customer's payment profiles, but he online API reference only says that the creditcard portion of the response "Contains credit card payment information for the customer profile", so I was uncertain. I might be helpful if the description of that output in the API reference could be clarified.

 

Also, I don't ever recall coming across anything in any documentation indicating that "Authorize.Net never returns any sensitive information including the PAN as part of an API response." That could be a helpful addition to the Responses sections of each of the API documentations and references.

 

Thanks again! Fritz

 

 

coppercup
Regular Contributor