I'm using hosted CIM forms to capture user credit card information. After a user enters their payment info, I'd like to make the GetCustomerProfile api call in order to retrieve the customerPaymentProfileId. It returns masked credit card info but the full, unmasked biling address. Is that PCI compliant if my site is hosted on a shared server?
The CIM system is designed to minimize the PCI liability in your system, but it cannot completely remove it. The customer's address is covered by PCI rules when it is returned with the last 4 digits of the card number as it is in our API response. This does not necessarily mean that you cannot display it to your customer, but it does mean that you need to be aware of the PCI guidelines for handling that data. Ultimately, you will need to speak to your merchant account provider or a PCI assessor to confirm that you are in compliance.