Direct Post Method - Authorize.net

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 495
Joined: Tue Jan 03, 2006 2:45 pm

Direct Post Method - Authorize.net

Post by sweeperq » Tue Sep 06, 2011 1:37 pm

Talked with a QSA today because we had received conflicting information from our PCI implementation consultant and Trustwave. Our consultant told us we could do SAQ-C since we were not storing credit card numbers. Trustwave was telling us we needed SAQ-D since the credit card data still passes through our servers.

The QSA also informed us that we should be using SAQ-D and encouraged us to modify our business processes to get out from under the SAQ-D requirements rather than trying to comply with them. Had mentioned that we purchased PA-DSS Certified shopping cart. He said that helps with 70-80% of SAQ-D, but there are still several requirements that would be difficult to achieve for a small-to-medium sized business.

His recommendation was to move to a tokenized payment system. Essentially, payment is submitted directly to the processor and they pass you back a token to reference the payment information. It never touches your server at all. This would take you all the way up to the 14-question SAQ-A. I had specifically asked about Authorize.net's Direct Post Method (DPM), and he said it sounds like exactly what he was talking about.

Has anyone out there worked with the DPM? How did it integrate into your system? Do you still get AVS and Authorization codes? Can AbleCommerce still handle capture/refund in the Admin?

http://developer.authorize.net/api/dpm/

Thanks,
Sam

Post Reply