cancel
Showing results for 
Search instead for 
Did you mean: 

DPM and PCI-compliance

hi-

 

we are currently moving from AIM to DPM in order to become pci-compliant. according to the third-party resource we're using, DPM puts us into SAQ C, which they liken to a POS system.

 

can anyone help me figure out how i can answer these questions? we are not saving any cc information whatsoever; will just have the cc form on our site, the user enters cc information and it is posted to authorize.net

 

  1. Your company has a payment application system and an Internet or public network connection on the same device and/or same local area network (LAN)
  2. The payment application system/Internet device is not connected to any other systems within your environment
  3. Your company store is not connected to other store locations, and any LAN is for a single store only
  4. Your company does not store cardholder data in electronic format
  5. If your company does store cardholder data, such data is only in paper reports or copies of receipts and is not received electronically
  6. Your company's payment application software vendor uses secure techniques to provide remote support to your payment application system

thanks!

 

laura

lfolco
Member
1 ACCEPTED SOLUTION

Accepted Solutions

While it may appear that SAQ-C applies, DPM does not actually transfer the credit card data through your hosting. It goes direct from the customer's computer to Authorize.net. You shouldn't really be on the hook for any PCI compliance requirements, I would think, unless you're using DPM to enter customer orders yourself, rather than putting them in via the control panel (which is SAQ-VT, I believe).

 

SAQ-C would be more for a POS device, where the device would be used solely for charging credit cards and would not be networked to anything else or used for any other purpose (including web hosting). In that instance, the credit card data -would- pass through the device on its way between the swiper or entry form and Authorize.net.

View solution in original post

TJPride
Expert
2 REPLIES 2

While it may appear that SAQ-C applies, DPM does not actually transfer the credit card data through your hosting. It goes direct from the customer's computer to Authorize.net. You shouldn't really be on the hook for any PCI compliance requirements, I would think, unless you're using DPM to enter customer orders yourself, rather than putting them in via the control panel (which is SAQ-VT, I believe).

 

SAQ-C would be more for a POS device, where the device would be used solely for charging credit cards and would not be networked to anything else or used for any other purpose (including web hosting). In that instance, the credit card data -would- pass through the device on its way between the swiper or entry form and Authorize.net.

TJPride
Expert

thanks! that's what i had originally thought, but wasn't 100% sure.