We are currently using Magento Community 1.8.1 integrated with Authorize.net to handle our credit card transaction. We are employing AIM and have some questions regarding the handling of credit card data. We currently use MageStore's One Step Checkout extension to collect the credit card and customer data for an order and then it is passed to Authorize.net for processing.
Honestly, we are not sure of the data flow nor if any sensitive data is being stored in the Magento database, and if it is all the tables that are being used to do so. First and foremost is whether or not Magento is storing persistent credit card data in its database beyone what we have discovered to date.
Our developers have identified two tables where credit card data is stored: sales_flat_quote_payment and sales_flat_order_payment. In neither of these tables does credit card or customer info appear in it's entirety. In sales_flat_quote_payment there are the last four digits of the credit card and everything is NULL in sales_flat_order_payment. So my second question is: are there additional tables where credit card data is being stored?
Ideally, we would prefer not having any sensitive credit card data in our back-end and would prefer that it all be managed and controlled by Authorize.net. We have been advised that implementing SIM as opposed to AIM would enable us to do that and would also mitigate a majority of the PCI compliance challenges by placing them in Authorize.net's court. However, the drawback would be a dependency on the Authorize.net payment form. We would much prefer using our current one-step checkout page and pass the data to Authorize.net. as long as the data left behind in the above mentiend tables is either non-persistent or renedered useless. My third question is: Can we set Mage_Payment_Model_Method_Cc, to false and just not save the credit card data at all but just pass it to Authorize.net? Also if we set this to false could we be assured that there is no credit card data being stored in our database?
If at some point we want to retain credit card data, perhaps we could employ the CIM (Customer Information Management) functionality to enable customers to re-use credit card inof for future purchases. Does this seem like a viable approach?
Any help here would be appreciated in terms of understanding how the default Magento/AIM functionality plays with Authorize.net and whether or not we can just cease saving credit card data altogether and jsut pass it to Authorize.net
It's been a while since this was first posted.
In answer to some of your questions, you can use Customer Profiles to securely store payment data on Authorize.Net servers using either using your own form our our hosted form depending on how much of PCI burden you want to take on.
You may also want to explore pre-integrated solutions for Magento in our Certified Solution Directory.
I would also recommend subscribing to this topic so that you'll be alerted via email if anyone from the community is able to respond with any comments. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies.