I am trying to determine if using the hosted CIM on a self hosted website will still allow for validation with SAQ A (3.1 this year with the standard change, used SAQ A 2.0 in the past). For it to be applicable "all elements of the payment page delivered to the consumer's browser originate only and directly from a PCI DSS validated third party service provider". Does the hosted CIM have the same type of functionality as the DPM, where although the payment page is hosted by Authorize.net and that is where the consumer CHD is captured, the merchant website has control over the payment page generation, thus could be hit with a man in the middle attack and why the PCI council requires SAQ A-EP for DPM use.
โ06-17-2015 12:31 PM
Hello @AmberE
It's been a while since this was first posted. This is probably a conversation you should have with your QSA.
I would recommend subscribing to this topic so that you'll be alerted via email if anyone from the community is able to respond with any comments. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies.
Thanks,
Richard
โ06-19-2015 07:59 AM
Thank you for the response Richard and suggestion, I have already subscribed! I was just hoping for some clarification if the hosted CIM functions more like an iFrame or if by implementing it it would end up functioning more like the DPM were the website does have some control over how the payment page is generated and would require more security precautions be taken. Trying to decide between which integration to go with and have not engaged a QSA, as the site is not yet completed or functional.
โ06-19-2015 08:30 AM