02:55:30 PM
3FM0VZOUY
Let us know what you find.
+++ Rick ---
You are right. We are walking a fine line here. On one hand, we need to give our customers the ability to process cards efficiently. On the other hand, we cannot touch any of the card data (without certification).
Using an encrypted card swipe seems like the way to go. But, Authorize.net is not quite ready for its use in a POS environment.
I'll keep looking.
Bruce
Specifically this FAQ entry seems to be the key:
Myth: PCI only applies to e-commerce companies.
Fact: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.
+++ Rick ---
Guys,
I have Been using Merchant Plus and Authorize.net for quite a while. The AIM interface has worked well. Now, I have run into a new situation. As we know, this year, the PCI regulations have expanded.
The challenge is the rule, "A payment application is anything that stores, processes, or *transmits* card data electronically." and "any piece of software that has been designed to touch credit card data is considered a payment application." Source: http://www.pcicomplianceguide.org/pcifaqs.php In other words, I need to process payments without touching the card numbers.
The internet side of my application is fine. We use SIM. The desktop application is giving trouble.
The Authorize.net SIM interface will do what I need. I can start a transaction by sending data in a post. The payment form appears in the browser control. I enter the card number on the Authorize.net website from within my app. The only data I save is what Authorize.net gives back to me. SIM works well. But, SIM does not support swiped data. Card swipes are necessary for efficient POS transactions.
Authorize.net has another interface: VPOS. VPOS does support card swipes. However, VPOS has limitations:
The operator needs to enter the invoice number
The operator needs to enter the amount
The operator needs to enter the customer's name
The operator needs to enter a note for what the customer is purchasing
VPOS does not return data to my application
Overcoming these limitations means manual entry. This slows the sales process to do the work accurately. In a POS environment, this is not possible.
Unless I can find a solution to this problem, my customers will be forced to use a non-compliant application. Or else, my customers will be forced to go to a different payment gateway.
Any ideas? Thanks in advance.
West Wind Technologies
Making waves on the Web
from Maui, Hawaii
