AbleCommerce Shopping Cart Software

I just downloaded the Gold R7 demo because one of the features was Authorize.net CIM payments. This feature is important to us in order to reduce PCI compliance scope. If the payment data never touches our server and we can get an attestation of compliance from Authorize.net, it greatly reduces the burden of PCI self-assessments.

However, when I look at the source for the Payment form, it appears that the form is a] hosted on our server (as opposed to an iframe), and b] does a javascript postback to our server. I thought the whole point of CIM was that the data never touches your server. How is it any different than AIM with the way it is currently implemented?

The point of CIM is not that the data never touches your server. Instead CIM allows you to 'STORE' credit-card data on Authorize.NET servers. That data that if you store locally otherwise, will raise your PCI compliance requirements. CIM is most useful when you have to make subsequent charges on credit cards - like in subscriptions and etc. When you have credit card data stored at Authnet servers, you do not have to ask the credit card details from the customer again if you want to charge a subsequent payment.

So if you use the CIM gateway, there is a token stored somewhere in AbleCommerce to reference that for further transactions?

Yes - that token is called Payment Profile Id