Quote:
Originally Posted by ambal
Hi folks,
re: DPM - it is a very controversial solution. Note that Auth.net doesn't position is as a way to tick "PA-DSS compliant" checkbox. Just as a way to "reduce your PCI compliance level".
Different QSAs consider solutions like DPM differently. In order to be safe I recommend everyone to consult with their QSA or merchant account provider directly. At least you'll have someone to point at.
|
In addition to Alexander's message:
When using the Auth.net DPM solution, the credit card form is created by the shopping cart software (using X-Cart's template files), and this form is hosted on the merchant's server.
When a buyer fills in and submits this form, the entered cardholder's data is then posted directly to Authorize.Net's endpoint.
However, if the merchant's server is compromised, then the X-Cart's credit card form can be also compromised. So, the merchant need to ensure that their server's environment (including the shopping cart software) is PCI-DSS compliant, do not they?
I would recommend to consult with your QSA or merchant account provider directly regarding the matter - if you need to go with SAQ A or SAQ C when using the Auth.net DPM solution.
You can read more about the Auth.net DPM solution at:
*
http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Direct-Post-Method-DPM/ba-p/7014