If I use the DPM API, but instead of posting back directly to the Authorize.NET server, I post back to my own server and then relay the post to the Authorize.NET server, is this breaking PCI compliance?
Note that I'm not storying the info anyway. I'm just posting it behind the scenes to prevent the user's browser from bouncing around.
Thanks.
04-02-2012 07:48 AM
What you describe is AIM. Is not the it breaking PCI compliance, all API have some level of PCI compliance.
04-02-2012 11:19 AM
Thanks for the reply but I'm a little unsure about your response.
I am using the DPM API. But the intent of that API is that the page is posted directly to the Authorize.NET server.
What I'm doing instead is using AJAX to post it back to my own server, and my server then simulates a post to the Authorize.NET server.
If I store the credit card number in my database, then I must be PCI compliant. But if I simply route it through my server this way, without storing it to permanent storage, then I want to make sure PCI compliance is not required.
Thanks.
04-02-2012 12:55 PM
If you look at the documentation. They are all(DPM, SIM, AIM) point to the same URL https://secure.authorize.net/gateway/transact.dll or https://test.authorize.net/gateway/transact.dll.
The different it how they work.Look at the "See how it works" pic on all three, and you will see.
If CC info going to your server is AIM. Doesn't matter if you save it or not.
Michelle have a blog on it PCI and You
04-02-2012 01:08 PM