cancel
Showing results for 
Search instead for 
Did you mean: 

CIM (without hosted solution) PCI Requirements

Hi, i've search thought the forum and still can find an accurate answer on my need. 

I'm implementing a site that will use CIM. We need to ask the user for their CC data, then store it using the CIM API and then we will charge them later.

We want to use an html form in your site that grab the user CC data and billing information, this form will have our server for the action, and we will grab the POST data (without modifing it) and make the API call to store the user information (All this using HTTPS)

 

Do we need to take anything into account for PCI (more than HTTPS and not storing anything?), the card will just pass in our server, but it won't be stored or used. 

mcapeletto
Member
1 ACCEPTED SOLUTION

Accepted Solutions

It's probably applied on the merchant end of things, so if you didn't get your merchant account through Authorize.net (Cybersource) then the fee might be different, but if you haven't passed an official security scan or the scan has been run and failed, there's an extra $15 / month or something like that tacked on for non-compliance.

 

Hosted CIM doesn't have much in the way of complications, it's just figuring out how to implement it the first time that can be a bit difficult. At least if you use iframe popups and not just a redirect.

View solution in original post

7 REPLIES 7

Even if the card just passes through your server, you have to pass fairly strict security requirements, since any hacker who gets in can just insert a piece of code to skim credit cards. It's going to be impossible to pass the requirements with most hosting accounts, you'll need PCI-compliant hosting and even then there's a bunch of hoops you have to jump through. Basically, it's going to be easier to either pay the non-compliance fee, or go the extra mile and figure out hosted CIM, assuming your brain doesn't explode while you're trying to do that.

TJPride
Expert

Hi TJPride, thanks for your quick answer.

What is the non-compliance fee? never heard of it, can you point me to where i can read about that?

I'm also considering hosted CIM, i've made a few testing in sandbox and it seems to work, in your experience it has lots of complications then? can you give me more details so i can give the feedback to my client so he know what to expect in times?

It's probably applied on the merchant end of things, so if you didn't get your merchant account through Authorize.net (Cybersource) then the fee might be different, but if you haven't passed an official security scan or the scan has been run and failed, there's an extra $15 / month or something like that tacked on for non-compliance.

 

Hosted CIM doesn't have much in the way of complications, it's just figuring out how to implement it the first time that can be a bit difficult. At least if you use iframe popups and not just a redirect.

Great, thanks for the feedback, really useful and detailed

Hi, one more question, i'm not sure if i will be able to use Hosted solutions because of how my workflow is, i've two extra questions:

 

1) Can i allow users to create duplicates payment profiles? I really need this, and hosted solution gives an error when trying to create a duplicate profile. If that cannot be disabled, i can't use hosted solution

 

2) If NO to 1), do you have a link where I can read about this fee that has to be paid to stay non-complicance?? i cannot find information anywhere on this

 

Thanks!

Are you trying to create a duplicate payment profile inside the same customer profile, or the same payment profile inside two different customer profiles?

We need duplicate payment profile in the same user profile. 

Duplicate payment profiles in differents users profiles works fine.

 

We might have found one way to deal with this in the logic of our application, but it's not the best approach (using multiple user profiles and so)