cancel
Showing results for 
Search instead for 
Did you mean: 

DPM & PCI Compliance

I'm investigating using DPM on my website as a means of mitigating PCI compliance issues, but after looking over the SDK samples for DPM, I'm not convinced that DPM solves any PCI compliance problems. For reference, my site is on a shared hosting environment and I do have my own SSL certificate.

 

Unless I'm missing some fundamental point, DPM puts me on the hook for the full range of PCI compliance issues, simply because the customer enters their credit card information on a form that's hosted on *my* site. Even though I never see or store the card number, it passes through my website ever so briefly on the way to Authorize.Net, and thus triggers the PCI compliance hassle.

 

But the marketing material for DPM says it "simplifies PCI compliance" -- so in what way does it do that? Which aspects of PCI compliance are nullified by using DPM, especially in a shared hosting environment?

 

Please help clarify my understanding!

gochibabra
Member
1 REPLY 1

While the form may be hosted on your site, the credit card data goes directly from the user's browser to Authorize.net (see the form action). It never passes through your server. The SSL certificate on your end is actually technically unnecessary, since the user is connecting through Authorize.net's SSL certificate, and the only reason for using one is to prevent confusion by not having people fill out their credit card info on a form that appears to be unsecured.

TJPride
Expert