I just got off the phone with a QSA and we had this same discussion in
regards to my application that uses DPM.The response from the QSA was
that if the form is generated by the application server, even though it
is submitted to directly to Authorize...
CIM is definatley the way to go, as is stores the credit cards on the
authorize.net server, BUT it does absolutely nothing to help with PCI
compliance or reduce the merchant liability . The only way (right now)
to get the data into CIM is through XML...