We've implemented our donor site using DPM, not realizing that it could not handle ARB. My client wishes to remain PCI compliant, specifically SAQ-A. SAQ-A requires that credit card information never touch the server in any way.
If I have the transaction id from DPM, is it possible to use the ARB api to set up recurring billing accounts? I know it can be done manually, but this needs to be automated. I'm used to working with Braintree, which has excellent APIs available for minimizing your PCI exposure. Is there any other way to use ARB without sacrificing PCI compliance?
โ03-13-2013 08:59 AM
not thru the API, but can do it thru the merchant account interface, but it requires a successful transaction first.
โ03-13-2013 09:08 AM
So are you saying is that Authorize.NET does not have any way to automate recurring payments while staying PCI (SAQ-A) compliant? This seems like a HUGE missing feature, Most (if not all) cloud hosting services do not offer PCI compliance guarantees. As soon as the credit card hits our server (even if we don't store it), we reach SAQ-D level, which means we would need to host a physical server on a network that we control. This is overkill for something like a small-town charity donation site, and can become extremely expensive for them if audited (disclaimer: I'm not a PCI compliance expert, this is only based on my current understanding).
Braintree exposes their entire API over their transparent redirect method, which makes it extremely easy to do this. I don't understand why Authorize.NET has to be so segmented in its feature set. I definitely won't be recommending Authorize.NET to any future clients.
โ03-13-2013 06:19 PM