New to the blog, don't think this has been exactly answered elsewhere, please forgive if it has.
If I use CIM, Hosted Form, and get the customer's token (customer ID, payment profile ID), which I can then use to submit payment transactions, I am (I believe) then SAQ A compliant (no data stored locally other than the tokens, and no CC data transmitted at all from local machines, all done on hosted pages).
However, if anyone got my API Login, Transaction Key and those tokens, couldn't they then impersonate me and have an even easier time sending fraudulent transactions? We'd still have the card type, last 4, etc, associated with the token, so we know which card a specific customer is using (also customers have to have token associated with there names, etc), so if my data was compromised, that would be a nightmare.
Obviously, if my data was compromised otherwise (even storing CC #s), same problem - my guess is as long as I'm taking steps to protect access to my data, as long as I don't (a) store CC info, and (b) don't even send CC info thru any transmissions (SSL or otherwise), I'm still SAQ A complient.
Just wanted to get some opions from others on this. We're transitioning from storing the CC #s (encrypted) in our data to either using tokens only or tokens and Hosted Forms.
Thanks in advance!
It doesn't look like anyone has responded yet, but someone still may have feedback on what you're looking for. I'd recommend subscribing to this topic so that you'll be alerted via email if anyone else from the community is able to respond with any comments. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies to your post.