Authorize.Net CIM: What is the extension's PCI scope?

PCI compliance is a complex and multifaceted issue, covering every aspect of your business. We can't guarantee that your business is PCI-compliant. That depends on your server, policies, processes, regular security scans, other payment methods offered, and a lot more. What we can tell you is that this extension will not prevent you from being PCI compliant. We don't store or log confidential cardholder data, or do anything else that would bring you under scrutiny.

The exact PCI scope of this extension depends on your configuration.

• If you enable Accept Hosted (strongly recommended), using this payment method for all credit card transactions may make you eligible for PCI Self-Assment Questionnaire (SAQ) A. In this case, all payment collection is offloaded to Authorize.Net and does not touch the checkout.
  
  
• If you enable Accept.js, using this payment method for all credit card transactions may make you eligible for PCI SAQ A-EP. In this case, credit card data is entered on your checkout, but transmitted by JS to Authorize.Net for tokenization before being sent to your server. The raw credit card number never touches your server.
  
  
• If you do not enable Accept.js, this payment method falls under the scope of PCI SAQ D. The credit card number is sent to your server, then passed on to Authorize.Net for tokenization and storage in their Customer Information Manager service.

Note that you must have SSL enabled on all checkout and login forms, and that this eligibility only applies to this specific payment method. Any other payment methods or credit card handling your business may perform will have its own SAQ eligibility, and may require you to complete a more stringent SAQ form.

For details on the SAQ types and what eligibility means, see "Self-Assessment Questionnaire Instructions and Guidelines (3.2)" (PDF, by PCI Standards Security Council).