In the mean time, if credit cards are compromised from your system (which the banks can tell by cross-referencing where cards have been used and finding the common point), then you will be subject to LARGE fines which your merchant agreement already states you agree to pay. Most small businesses will go bankrupt since general E&O insurance will generally not cover hacking losses (if you have E&O to start with).

I’m got something brewing that might alleviate this for a lot of people… we’ll see!

Now, at Brian…. add me to the list of people who would be interested in that proxy.

@Jimmy, I have bad news and bad news for you. We’re also looking at using auth.net’s CIM, but it does NOT mean your website is out of scope. You’ve handled the “store part”, but because your network transmits cardholder data, your website and web hosting environment are IN SCOPE for PCI DSS. The only way to keep your website out of scope is for your clients to post their form the with cc data to someone elses website. If they post the data to your site, even if you just pass it immediately to auth.net and then kill it, your entire website is in scope and will have to be PCI compliant.

Welcome to the wonderful world of PCI

When I do a monthly charge to a customer instead of using authnets clunky recurring billing I’m able to pass an encrypted customer and card id to the CIM and have their server do all the charging and authorization.

I built a CFC to manage the integration with that and I’ll get it up on RIAForge one of these days soon. (Along with the Eventful CFC which is coming along nicely!)