Payment gateway that doesn't require site to be PCI compliant

Question

I have been looking at authorize.net, notably their CIM and DPM solutions. The problem is that I can't just reference a CIM profile in the DPM. For people who don't use authorize.net, basically authorize.net manages my user's stored credit cards (on their site), but I can't use the ID of their stored credit card to make a payment through DPM, I have to retrieve that information from their servers, and pass it back to them in another request. This act forces me to be PCI compliant (because I've handled the credit card numbers).

My question is: is there another provider that would allow me to use something similar to authorize.net but that allows my site to never touch the credit card/shipping information?

Answer 1

You're required by your merchant bank to be PCI compliant no matter what, but the requirements can be reduced if you use other services that handle the transfer of credit card data to your gateway.

If credit card data touches your servers, you likely need to fill out Self-Assessment Questionnaire C: https://www.pcisecuritystandards.org/documents/pci_saq_c_v2.doc

If you use a service that handles this transfer, you'll likely only need Self Assessment Questionnaire A (but be sure to check with any service you're looking at): https://www.pcisecuritystandards.org/documents/pci_saq_a_v2.doc

Disclaimer: I work for Recurly, one of the services you can use to minimize the scope of your PCI compliance. You may also want to take a look at Chargify, ChedderGetter, or SaaSy, but I'm happy to answer any of your questions.

Answer 2

Infintech allows that, although it's not crystal clear from their web site. On your site, you need a way to identify the user, but you don't need to store credit card information, addresses, or anything like that.