I was wondering if anyone here has used the authorize.net "Advanced Integration Method" API.
I've scoured the FAQs on their site, but I can't seem to find a straightforward answer or get through to them at this hour.
I know the API requires SSL (obviously), but does their TOS agreement require PCI compliance or any kind of certification, provided you are not storing credit card numbers? Also, if anyone would happen to know, is there anything in their TOS against using this for an app that stores merchant credential (with explicit merchant permission of course)?
To clarify, on that last part, I'm talking about a SaS application storing merchant id and transaction keys for multiple merchants (same server).
Yes, it requires PCI compliance. AIM requires you to collect the user data on your own web server before sen ding it off to Authorize.Net for processing. This means you are handling and transmitting credit card information and therefore must be PCI compliant.
This is not an Authorize.Net requirement, it's a Payment Card Industry requirement. Authorize.Net does not take responsibility for how a merchant handles their payments in-so-far-as they do not violate Authorize.Net's terms of service. So if you're not PCI compliant Authorize.Net doesn't care. But the card issuers do and will raise issues with the merchant if their site is not PCI compliant and using the AIM API.