Originally Posted by gravel
I think the concept behind this is the same as the Braintree Transparent Redirect:
The key thing isn't where the cc information is typed in; it's where and how information is sent. A customer's computer is completely outside of PCI scope, and they can type their cc numbers anywhere on their computer til the cows come home, with no problem. It's how and where the numbers are sent that makes the difference.
So they type it in their browser but instead of it being sent to your server, that information is sent directly to the gateway (Braintree / Authorize.net). Your hosting server never sees it.
I think Gravel explains it very well.
Authorize.net can't say it takes you out of PA/DSS scope because they cannot comment on your other business processes which may touch/transmit CC information. This is also why we state on our site states that it
supports you to be PCI compliant including the new PA/DSS standard
Allows the store owner to complete PCI compliance with a Self Assessment Questionnaire (SAQ) A, instead of the more complex SAQ D*.
* A full assessment of a vendors specific business process is required to determine which SAQ needs to be completed to achieve PCI compliance.
So it is one step towards PCI compliance, but PCI compliance goes beyond just your payment gateway.
This is also the same as X-payments if you choose to use that route. It's just one step towards PCI compliance.
I hope this helps.